. . 

INSTITUTE  FOR  DEFENSE  ANALYSES 

IDA  Paper  P-3511 


A  National  R&D  Institute  for  Information 
Infrastructure  Protection  (I3P) 


David  R.  Graham,  Project  Leader 
Gregory  J.  Ayres 
William  J.  Barlow 
James  P.  Bell 
Robert  Bovey 
Robert  P.  Hilton 
Julie  Consilvio  Kelly 
Charles  H.  Lyman 
Michael  S.  Nash 
Grant  A.  Sharp 
Caroline  F.  Ziemke 


DISTRIBUTION  STATEMENT  A 

Approved  for  Public  Release 
Distribution  Unlimited 


Contributors: 
Michael  Leonard 
W.T.  Mayfield 
Julian  Nall 
Robert  E.  Roberts 
John  R.  Shea 
Shelley  D.  Smith 


M000501  128 

DTIC  QUALITY  mSPEC73»  § 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
OMB  No.  0704-0188 


Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington, 
VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-01 88),  Washington,  DC  20503. 

1.  AGENCY  USE  ONLY  (Leave  blank)  I  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 

April  2000  Final 


4.  TITLE  AND  SUBTITLE 

A  National  R&D  Institute  for  Information  Infrastructure  Protection  (I3P) 

5.  FUNDING  NUMBERS 

DASW01  -98  C  0067 

AJ-6-1770 

6.  AUTHOR(S) 

David  R.  Graham,  Gregory  J.  Ayres,  William  J.  Barlow,  James  P.  Bell, 
Robert  Bovey,  Robert  P.  Hilton,  Julie  Consilvio  Kelly,  Charles  H.  Lyman, 
Michael  S.  Nash,  Grant  A.  Sharp,  Caroline  FI  Ziemke 

Contributors:  Michael  Leonard,  W.  T.  Mayfield,  Julian  Nall,  Robert  E. 
Roberts,  John  R.  Shea,  Shelley  D.  Smith 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Institute  for  Defense  Analyses 

1801  N.  Beauregard  Street 

Alexandria,  VA  2231 1 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

IDA  Paper  P-3511 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

Office  of  the  Deputy  Under  Secretary  of  Defense  (Science  and 
Technology)/lnformation  Systems  Directorate 

1777  N.  Kent  Street,  Suite  9030 

Rosslyn,  VA  22209 

10.  SPONSORING/MONITORING 

AGENCY  REPORT  NUMBER 

1 1.  SUPPLEMENTARY  NOTES 

12a.  DISTRIBUTION/AVAILABILI'|^|^r'^p^lj^lj(^-|ON  STATEMENT  A 

Approved  for  Public  Release 
DistribLition  Unlimitfirt 

12b.  DISTRIBUTION  CODE 

13.  ABSTRACT  (Maximum  200  words) 

This  paper  assesses  the  need  to  create  a  new  research  organization  with  the  mission  to  identify  and  address 
vulnerabilities  in  the  nation’s  information  systems  and  networks.  Despite  the  many  recent  initiatives  in  this  area,  a  broad 
cross-section  of  experts  agrees  that  such  an  organization — if  properly  structured — could  substantially  strengthen  a  range 
of  needed  functions.  The  paper  describes  these  functions  and  the  kind  of  organization  the  experts  believe  can  best 
perform  them. 


14.  SUBJECT  TERMS  15.  NUMBER  OF  PAGES 

Information  security,  information  assurance,  critical  infrastructure  protection,  cyberterrorism, 
cyber  vulnerabilities,  national  infrastructure  protection  ^ 

16.  PRICE  CODE 

17.  SECURITY  18.  SECURITY  19.  SECURITY  _  20.  LIMITATION  OF 

CLASSIFICATION  CLASSIFICATION  CLASSIFICATION  ABSTRACT 

OF  REPORT  OF  THIS  PAGE  OF  ABSTRACT 

UNCLASSIFIED  UNCLASSIFIED  UNCLASSIFIED  UL 


NSN  7540-01-280-5500 


Standard  Form  298  (Rev.  2-89) 
Prescribed  by  ANSI  Std.  Z39-18 
298-102 


PREFACE 


This  study  was  performed  by  the  Institute  for  Defense  Analyses  for  the  Office  of 
the  Deputy  Under  Secretary  of  Defense  (Science  and  Technology)  through  the 
Information  Systems  Directorate.  The  task  was  entitled  “Organization  for  National 
Information  Infrastructure  Protection.” 

Dr.  Charles  J.  Holland  and  Dr.  Steven  E.  King  of  the  sponsoring  office  provided 
guidance  and  oversight. 

Mr.  James  Kurtz  and  Dr.  Gregory  Larsen  of  IDA  reviewed  the  report.  Review 
comments  on  Chapter  1 1  also  were  provided  by  Rick  Yanuzzi  of  the  CIA.  Oversight  and 
guidance  were  provided  by  Dr.  Robert  Roberts  and  Mr.  Michael  Leonard.  Ms.  Shelley 
Smith  edited  the  manuscript. 


111 


CONTENTS 


Summary,.. 

Introduction 


Part  I  Experts’  Views  on  the  PCAST  Proposal 

1 .  Background:  The  PCAST  Proposal . 

2.  The  Experts’  Views  on  the  PCAST  Proposal . . . . . 

A.  Nature  of  the  Challenge . . . . . ■ . 

B.  What  Is  to  Be  Done? . . . . . . 

C.  Is  a  Laboratory  the  Best  Organizational  Approach? . . 

D.  If  Not  a  Laboratory,  Then  What  Kind  of  Organization? . ... 

1 .  A  Private-Sector  Institute . . . 

2.  Strong  Leadership,  Lean  Staffing,  and  Strategic 

External  Relations . . . . . 

3.  Stimulating  Research  Environment . . . . 

4.  Direct  Partnership  with  Industry . 

5.  Committed,  High-Level  Government  Sponsorship . 

6.  Adequate  and  Secure  Funding . 

Part  II  Growing  Awareness  of  Infrastructure  V ulnerabilities 

3.  Gaining  an  Understanding  of  Cyber  Vulnerabilities . 

A.  Background . . . — . 

B.  Infrastructure  Vulnerabilities  and  Networked  Information  Systems . 

C.  Vulnerability  of  Automated  Control  Systems . . . . . ;•••■ 

D.  Potential  Threats . . . . . • . 

E.  The  Growing  Body  of  Evidence  on  Vulnerabilities . . . 

4.  Vulnerabilities  in  Key  Sectors . . . — . . . . . . 

A.  Internet  Service . . . . . . . 

1 .  Vulnerabilities  of  the  Internet  Itself . . . . . 

2.  Dependence  of  Other  Critical  Infrastructure  Sectors  on  the  Internet 

3.  Vulnerabilities  Resulting  from  Interconnection.. . 


.1-1 

.2-1 

.2-2 

.2-4 

.2-5 

.2-6 

.2-7 

.2-8 

..2-9 

..2-9 

..2-9 

2-10 

..3-1 

..3-1 

,..3-3 

,.3-4 

,.3-6 

,.3-8 

,.4-1 

.,4-1 

.,4-2 

.,4-3 

.,4-5 


v 


B.  Telecommunications . 

1.  Existing  Vulnerabilities . 

2.  Future  Vulnerabilities . . 

C.  Electric  Power . 

1  •  System  Description . 

2.  Control  Center  Vulnerabilities . . . 

3.  Other  Vulnerabilities . 

D.  Transportation . 

E.  Financial  Services . . 

1  •  Core  Payments  Infrastructure . 

2.  Banking  Systems . 

3 .  Securities  Market  Systems . 

F.  Vulnerabilities  and  the  Research  Agenda... 

Part  m  Functions  Needed  for  Infrastructure  Protection 

X  Functional  Assessment:  Overview . 

A.  The  Functional  Areas .  . 

B.  The  Baseline  Organizations . 

6.  Research  and  Development .  . 

A.  R&D  Requirements . . 

1 .  PCAST  Proposal . 

2.  IDA  Interviews  and  Workshops . 

3.  R&D  Roadmaps . 

4.  Needed  R&D  Functional  Tasks . ZZZ . 

B.  Existing  R&D  Activities . 

1 .  Government  Infrastructure  Protection  R&D  Activities 

2.  Department  of  Energy . 

3.  Department  of  Commerce .  . 

4.  National  Science  Foundation . 

5.  Other  Organizations . 

C.  The  Role  of  the  I3P . . . 

D.  External  Relationships .  .  . 

7.  Information  Sharing . 

A.  Need  for  Information  Sharing  Function . 

1.  Background . 

2.  Information  Sharing  Tasks . 


. 4-5 

. 4-6 

. 4-8 

. 4-9 

. 4-9 

.....4-10 

. 4-11 

. 4-12 

....4-14 

....4-15 

....4-16 

....4-17 

...4-18 


. 5-1 

. 5-1 

. 5-2 

. 6-1 

. 6-1 

. 6-1 

. 6-2 

....6-3 

....6-5 

....6-7 

....6-8 

.6-12 

.6-13 

.6-15 

.6-16 

...6-1 

6-19 

..7-1 

..7-1 

.7-1 

.7-2 


vi 


B.  Existing  Information  Sharing  Activities . . ' 

C.  The  Role  of  the  I3P . 7-6 

D.  External  Relationships . 7-7 

8.  Product  and  Service  Evaluation . . . . . • . 8-1 

A.  Need  for  Product  and  Services  Evaluation  Function . 8-2 

1 .  PCAST  Proposal . . . .  8"2 

2.  Phase  1  Results . . . 8-2 

3.  Phase  2  Results.... . . . . . . . —  8'7 

B.  Existing  Activities . . 8-5 

1.  U.S.  Government . 8-5 

2.  BITS  Laboratory . . . . . . . 8-7 

3 .  Commercial  Evaluation  Services . . . . . 8-8 

4.  Evaluating  Deployed  Systems . . . . . .  8-9 

5.  Professional  Certification . . . ••••• . 8-10 

6.  Standards  Organizations . . . . .  8-10 

7.  Assessment  of  Existing  Activities . . . . . . .  8-12 

C.  The  Role  of  the  I3P . . . . . . . -  8“14 

1 .  Harmonize  Processes  and  Criteria  Used  by  Overseers 

and  Evaluators . . . ..8-14 

2.  Facilitate  Ongoing  Work  and  Establishing  New  Capabilities, 

as  Needed . . . . 8-15 

3 .  Fill  Gaps  in  Evaluation  and  Standards  Area  Where  Only  the  Institute  Is 

Serviceable . . . . . —  8-15 

4.  Oversee  an  R&D  Program  to  Improve  Test  Methods  and  Develop 

Tools,  Metrics,  and  Benchmarks . . •••••—  8-16 

5.  Establish  Linkages  that  Promote  the  Gathering  and 

Sharing  of  Information . . . . . . . . 8-17 

D.  External  Relations . 8-17 

9.  Education  and  Training . 9-1 

A.  Education  and  Training  Requirements . . . •••••• . 9-1 

1.  IDA  Interviews  and  Workshops . . . — . — •  9-1 

2.  Pipeline  of  Information  Technology  Workers............... . 9-3 

B.  Potential  Remedial  Measures . 9-6 

1 .  Increase  the  Number  of  Information  Security  Professionals.... . ....  9-6 

2.  Establish  a  Pool  of  Qualified  Instructors . .  9-9 


vu 


c.  Current  Activities . 

1-  Government  Initiatives . . 

2.  Private  Sector  Activities . 

3.  Functional  Gaps . 

D.  The  Role  of  the  I3P . 

E.  Operational  Models . 

Part  ^  Toward  an  Institute  for  Information  Petition 

10.  Evaluation  of  Alternative  Structures... . 

A.  Programmatic  Initiative . 

1  •  Coordination  Activities . 

2.  Functional  Activities..... . 

3.  Assessment . 

B.  Mission-Focused  Government  Activity . 

1-  Examples . . 

2.  Assessment... . 

C.  Private  Sector  Consortium . 

1.  Examples . 

2.  Assessment . 

D.  The  Case  for  the  I3P . 

E.  Conclusion . 

1 1 .  Concept  of  Operations . 

A.  Mission . . 

B.  Tasks,  Deliverables,  Performance  Measures 

C.  Structure. . 

E  Staffing  and  Governance . 

2.  External  Relationships . 

D.  Government  Funding  and  Sponsorship  ;ZZZZZZ 

E.  Alternative  Structures. . . 

1  •  A  Private  Corporation:  IN-Q-TEL 

3.  A  Public  Corporation . . 


. 9-14 

. 9-15 

. 9-17 

. 9-18 

. 9-18 

. .9-21 

. 10-1 

. 10-2 

. 10-3 

. 10-4 

. 10-5 

......  10-8 

. 10-8 

.....10-9 
...10-10 
...10-11 
...10-12 
...10-13 
...10-18 
....  1 1-1 
....11-1 
....11-2 
....11-2 
,...11-5 
...  1 1-7 
...11-9 
.11-10 
.11-11 

11-13 

11-14 


viii 


F.  Legal  and  Regulatory  Issues . . . . . 1 

1 .  Acquisition  Regulations . 11-16 

2..  Intellectual  Property . . . . . 1 1-16 

3 .  Restrictions  on  the  Participation  of  Foreign  or  Multinational  Firms . 11-17 

4.  Information  Protection  and  the  Freedom  of  Information  Act . 11-17 

5.  Antitrust . . . 11-19 

4.  Liability . . . . . — . . . 11-19 

Appendixes 

A.  The  PCAST  Letter  to  President  Clinton.... . . . A-l 

B.  Interview  and  Workshop  Participants . • . B-l 

Figures 

I- 1.  PCAST’ s  Proposed  Organiz  ation . . . . . . . . . . 1-3 

6-1.  Critical  Infrastructure  Protection  R&D  Interagency  Working  Group . 6-8 

9-1 .  The  DP’s  Role  in  Education  and  Training . . . • . . . 9- 

I I- 1.  The  Institute’s  Structure  and  External  Relationships . 1 1-5 

Tables 

5-1.  Functional  Areas . . . . 5-2 

5-2.  Baseline  Organizations . . . 5-3 

5- 3.  Organizations  Reviewed  in  Each  Functional  Area . . . . . . . . . 5-4 

6- 1 .  Roadmaps  for  Information  Assurance  R&D . 6-4 

6-2.  Framework  for  Information  Assurance  Research . 6-5 

6-3.  FY2000  Government  Agency  Budget  Requests  for 

Critical  Infrastructure  Protection  R&D . . . . . . 6-7 

6-4.  Assessment  of  Existing  R&D  Activities . . . 6-18 

6- 5.  Needed  R&D  Functional  Tasks . . . . 6-19 

7- 1.  Needed  Information  Sharing  Functional  Tasks . . . . . • . .  7-3 

7- 2.  Assessment  of  Existing  Information  Sharing  Activities . . . 7-5 

8- 1.  Desiderata  for  a  Product  and  Service  Evaluator . . . 8-3 

8-2.  Assessment  of  Existing  Product  and  Services  Evaluation  Activities . 8-1 3 

8-3.  Needed  Product  and  Services  Evaluation  Functional  Tasks . . . 8-14 


IX 


9-1.  Sources  of  Information  Technology  Workers . 

9-2.  Non-degree  Programs . 

9-3.  Assessment  of  Existing  Education  and  Training  Activities . 

9- 4.  Tasks  and  Related  INIIP  Activities . 

10- 1 .  Functional  Assessment  of  the  Institute  versus  Alternatives . 

10- 2.  Alternatives  versus  Management  Criteria . 

1 1- 1.  Representative  Institute  Tasks,  Deliverables,  and  Performance 


....9-4 

...9-6 

..9-19 

..9-20 

10-14 

10-16 

.11-3 


X 


SUMMARY 


This  paper  assesses  the  need  to  create  a  new  research  organization  with  the 
mission  to  identify  and  address  vulnerabilities  in  the  nation’s  information  systems  and 
networks.  Despite  the  many  recent  initiatives  in  this  area,  abroad  cross-section  of  experts 
agrees  that  such  an  organization — if  properly  structured — could  substantially  strengthen  a 
range  of  needed  functions.  The  paper  describes  these  functions  and  the  kind  of 
organization  the  experts  believe  can  best  perform  them. 

The  need  to  address  vulnerabilities  in  the  nation’s  infrastructure  sectors  was 
articulated  by  the  President’s  Commission  on  Critical  Infrastructure  Protection  (PCCIP) 
in  its  1997  report.  The  Commission  described  the  growing  importance  of  information 
systems  to  such  critical  sectors  as  communications,  energy,  transportation,  banking  and 
finance,  water  supply,  emergency  services,  and  public  health  services.1  In  May  1998, 
Presidential  Decision  Directive  63  (PDD-63)  directed  implementation  of  many  of  the 
Commission’s  recommendations. 

In  December  1998,  the  President’s  Committee  of  Advisors  on  Science  and 
Technology  (PCAST),  having  reviewed  the  provisions  of  PDD-63,  proposed  that  a  new 
laboratory  be  established  to  focus  on  the  research  and  development  required  to  understand 
and  address  vulnerabilities  in  the  nation’s  information  infrastructure.  The  President 
agreed  with  the  PCAST  that  information  assurance  creates  unique  R&D  challenges  but 
requested  a  review  to  determine  whether  creating  a  new  laboratory  offered  the  best 
approach  to  meeting  those  challenges.  As  a  result,  the  Deputy  Director,  Defense  Research 
and  Engineering,  tasked  the  Institute  for  Defense  Analyses  (IDA)  to  conduct  an 
independent  assessment  of  the  PCAST  proposal  to  create  a  new  laboratory,  and  to 
develop  and  analyze  additional  organizational  options. 


1  These  are  the  infrastructure  sectors  identified  in  PDD-63  and  differ  only  slightly  from  those  considered 
by  the  PCCIP.  See  White  Paper:  The  Clinton  Administration’s  Policy  on  Critical  Infrastructure 
Protection:  Presidential  Decision  Directive  63,  Executive  Office  of  the  President,  May  1998. 


S-l 


VULNERABILITIES  AND  CONCERNS 

*-*— «  -  «.  .*  Jr; zjz,-^ 

£^;-sr-“C*rxr^ 
rsisFF221^ ^ s=s.t 

.  ,  ■  ds' “to  tonuiant  military  capabilities.  A  few  may  well  be  on  the  wav  to 

developing  die  capability  to  carry  out  such  cyber  attacks.  nthewayto 

As  yet’ 1,0  one  “"demands  the  vulnerabilities  with  sufficient  clarity  to  identifr  all 
Z L  Ps  "TT  10  ^  ^  mfrastructure.  WhaufZ 

,S  t  ^  S,3teS  mUSt  ta-  *  «>  “"demand  ad^s 

trfonnat  on  .nfrasriucttre  vulnerabilities.  If  we  don’t,  we  risk  having  otters  exploit  Z 

of  ^ — - 

FINDINGS:  WHY  A  NEW  ORGANIZATION  IS  NEEDED 

Our  findings  reflect  interviews  with  more  than  inn  • 

indushy,  and  academia  and  two  workshops  that  brought  Z^ZZ^TT'’ 
m-iewees  and  other  experts  in  the  area.  In  addiJn,  tt^L  Z  o  ^ 
House  conference  that  included  the  President’,  AJ  •  w  on  *  White 

Coordinator  for  Critical  Inftasriucttre  JZn  ZZoZZZnZ  “ 
members,  and  the  Chief  Technology  Office*  from  fifteen  information  technology  72 

n.e  principal  finding  is  that  a  new  R&D  organization  is  needed.  n,e  nation 

22 :7°r  ,“°n  “  “  -  critical  infrastructure 

ctors,  and  this  entails  a  unique  set  of  functions  that  am  not  being  provided  bv  anv 

existing  o^antzariom  Momover,  no  existing  organization  is  si « 

onsi  l  lty  or  building  the  partnerships  necessaiy  to  integrate  activities  across 

to  tions,  across  inffasftucture  sectors,  and  between  the  government  and  private  sectors 

Tins  umque  role  requites  esteblishing  a  new  organization  mtter  than  modZiu 

combining,  or  expanding  existing  organizations.  ^  8’ 

with  theTcASir8  “  Sm,Ctt,rc  fOT  SUCh  “  ”****  *0  review  began 
AST  S  m°del'  b“*  "  ^  coasidemd  modifications  te  L 


S-2 


model,  as  well  as  alternative  structures.  Three  modifications  to  the  PCAST  proposal 
were  incorporated:  (1)  altering  the  leadership  structure  to  more  strongly  emphasize  the 
joint  partnership  of  industry,  government,  and  academia;  (2)  focusing  the  organization’s 
functions  more  explicitly  on  integration  and  collaboration,  and  on  research  that  is  not 
competitive  with  ongoing  commercial  and  government  programs;  and  (3)  limiting  the 
new  entity  to  a  small  core  staff  combined  with  a  strong  external  program.  The  resulting 
organizational  concept  has  come  to  be  known  as  the  Institute  for  Information 
Infrastructure  Protection  (I3P).  The  use  of  the  term  “institute”  is  intended  to  denote  the 
breadth  of  the  organization’s  roles,  and  its  added  focus  on  building  partnerships  rather 
than  purely  on  executing  an  in-house  technology  development  program. 

Altogether,  four  structural  alternatives  are  described,  compared,  and  assessed  in 
Chapter  10: 

■  The  I3P--  the  PCAST’ s  proposal  for  a  government-funded  private-sector 
organization  with  modifications  as  described  above, 

■  a  programmatic  initiative  —  expanded  funding  for  current  efforts  within 
existing  organizations. 

■  a  new,  mission-focused  government  agency  or  office,  and 

■  a  purely  private  sector  consortium. 

As  discussed  in  Chapter  1 0,  each  of  these  approaches  has  support  among  some  experts, 
and  each  brings  certain  strengths  and  weaknesses.  On  balance,  however,  we  found 
general  agreement  that  the  I3P  provides  the  best  approach  for  building  needed 
partnerships  among  the  government,  industry,  and  the  private  sector.  This  is  especially 
important  in  establishing  an  effective  framework  for  the  information  sharing  essential  for 
shaping  and  executing  the  R&D  program.  As  a  private  sector  entity,  the  I3P  also  offers 
the  best  way  to  attract  an  effective  CEO  and,  by  offering  competitive  salaries,  to  build  the 
needed  core  technical  staff.  Finally,  most  experts  believe  a  private  institute  such  as  I3P 
could  most  effectively  formulate  and  manage  the  needed  R&D  program,  because  it  can 
operate  at  “Internet  speed”  and  adopt  a  culture  compatible  with  the  business  community. 
The  remainder  of  this  summary  focuses  on  the  I3P  model. 

MISSION 

The  PCAST  defined  the  basic  purpose  for  a  new  organization.  It  is  “to  conduct 
research  and  develop  technology  that  would  protect  our  critical  information  and 
communications  systems  from  penetration  and  damage  by  hostile  foreign  national  or  sub¬ 
national  groups,  organized  crime,  determined  hackers,  and  from  natural  instabilities, 


S-3 


human  fai,ings  -  - — -*■  -  *» 

partnerships  needed  to  integrate  md 

heiow  emphasizes  the  breadth  of  the  technics,  change  ^d  * 

formulate  and  execute  ,  g  ’  ^  rec°gmzed  need  to 

communities;  “  ^  «—«  -  involved 

tf* v  nationai 

understand  vulnerabilities  in  the  v  F  •  !Cu  ar’  emPhasize  R&D  to 
develop  00^“  “^^,,“? 
severely  disrupt  or  damase  cEf  ,  8TIzed  attack  «»<  could 
national  defense,  economic  prosperity,  md qualityof life.  eSSentia*  10  «* 
FUNCTIONS 

' ■  -  i.’rirsr rjjtr- 

Research  and  development 

The  main  function  of  the  new  organization  would  be  to  identifv  „  a- 
infrastructure 

problems  with  risks  of  large-scale  consequences  ihat^cut  acrossI^more^ld^nthlstii«e^lS,, 
information  ^  ^  °f  '  — 

Represenuttive  challenge  areLtcTuI  ^  ^  ^ 

'  SSStoS^  ~  -*  interactions,  and 
■  Identifying  gaps  and  shortfalls  in  R&D 

Creating  a  scientific  basis  for  information  assurance 


S-4 


■  Developing  engineering  principles,  practices,  and  evaluation  benchmarks  and 
tools 

■  Developing  concepts  for  high-confidence  systems  and  software 

■  Investing  in  information  assurance  for  new  and  emerging  information 
technologies 

■  Addressing  the  people,  the  process,  and  the  legal  dimensions  of  information 
assurance,  including  risk  management  (e.g.,  insider  threat)  and  security 
process  implementation 

The  I3P  will  not  be  a  technology  development  “skunkworks.”  Its  mission  should 
encompass  technology  transfer,  information  sharing,  and  proactive  interactions  with 
related  activities  as  outlined  below. 

Public-private  information  sharing 

Information  developed  through  ongoing  activities  is  not  always  shared  effectively 
either  within  or  among  sectors.  But  information  sharing  is  a  critically  important  enabler 
of  the  DP’s  functions;  thus,  substantial  care  must  be  taken  to  create  an  effective 
framework.  The  I3P  should — 

■  Help  coordinate  across  sectors  to  ensure  that  information  is  being  shared,  to 
highlight  system-of-systems  interdependencies  and  cascading  effects,  and  to 
point  out  where  R&D  and  other  corrective  actions  are  required. 

■  Provide  a  neutral  forum  through  such  means  as  e-mail  lists,  web  pages,  chat 
rooms,  conferences  and  publications  (managed  by  13  P  staff)  for  experts  to 
exchange  views  on  subjects- whether  vulnerabilities,  strategies,  best  practices, 
or  policy-that  bear  on  the  R&D  agenda  for  information  assurance. 

■  Ensure  that  its  products,  including  vulnerability  assessments,  technology,  and 
concepts,  are  readily  available  to  industry,  academia,  and  government. 

Most  of  the  DP’s  work  would  be  publicly  available;  however,  some  necessarily  would  be 
controlled  within  an  information  management  regime  capable  of  protecting  classified  and 
proprietary  information. 

Day-to-day  operational  information  sharing  relating  to  computer  intrusion,  attack, 
or  responses  would  not  be  encompassed  in  the  organization’s  responsibilities,  because 
other  organizations  already  perform  this  function. 


S-5 


Product  and  services  evaluation 

criteria  and  practices  ^  ^  ^  ^  CStabli^  and  °versee  evaluation 

professionals  L  lL  ^  "■  ^  ^  “  -  « 

WO*  would  have  L  Z  on  ZZ  ZT^’  ™* 

criteria  ns*  across  ^  ~  - 

example,  promulgating  the  best  practicef  it  oh  lnfta«ructure  sectors  by,  for 

identify  research  needs  so  that  appropriate  R&n  CT|T  1  ^  W0UM  ^  *° 

to  raise  the  level  of  best  nracf  ,  e  conducted  ar)d  the  results  fielded 

R&D  program  *  “  °f  -  « 

products  and  services  such  as  th  h  •  see  'ng  to  strengthen  the  evaluation  of 
Achieving  ^gT^i^ 

minded  by  indushy,  academia  and  government.  “  ncutml  and  open 

Education  and  training 

to  expa^fteX"lTon  d  Tr  ^  ^  “  SIW°"  “*>■*!  efforts 

infrastructure  vulnerabilities  07  bZ  ^  UnderStend  and  can  correct  information 

^.can,  r d  35  * 

research  funding  for  University  Centers  of  Excellence  l  lt  ^ 

centers  that  teach  infomiation  assurance.  In  addition  in  fi.rrrr  7VerS1,y  reSearCh 
under  product  and  services  evaluation  the  I3P  w  m  •’  ® the  responsibilities 

aod  oversee  educational 

mahe  available  .eleven,  research  results  and  iTZ  TZITZT  7  ^ 
programs.  Finally  the  DP's  charts  eu  , .  .  Ip  bu  d  courses  and  training 

and  policy  shrdies  to7i7l  “  Pem’"  “  *°  ^  “"“e  assessments 


«  information 

Of  this  paper)  inZteZ: BP  <m°re  deSCribed  “  ChaPter  1 1 

*  ,or in  md  ~  ^ 

government  pay  and  pemonne,  policie;  and  rhustoer 


S-6 


talent.  It  would  not  be  overly  burdened  by  government  budgeting  and 
procurement  policies  and  thus  could  respond  flexibly  in  the  dynamic 
information  technology  environment.  Perhaps  most  importantly,  companies 
are  extremely  wary  of  sharing  information  with  the  government,  suspecting  -it 
may  lead  to  regulatoiy  interference  or  public  disclosure,  but  a  properly 
structured  I3P  located  in  the  private  sector  can  effectively  facilitate 
information  sharing. 

•  The  PC  AST’s  proposal  of  government  funding  of  $100  million  per  year  is 
appropriate  for  the  I3P  after  an  initial  start  up  period.  In  addition,  it  may 
receive  government  funding  to  perform  specific  tasks.  It  also  could  receive 
private  funding,  although  most  experts  believe  such  funding  will  not  be 
forthcoming  initially. 

•  The  I3P  should  have  a  very  small  in-house  staff  of  perhaps  15  to  25 
professional  employees.  Rather  than  attempting  to  build  a  large,  integrated 
research  staff,  it  would  take  the  more  practicable  approach  of  contracting  for 
the  external  execution  of  its  program.  The  staff  would  be  responsible  for 
strategy,  planning,  resource  allocation,  coordination,  and  project  management. 
A  key  role  of  the  staff  is  to  build  external  relationships  across  infrastructure 
sectors. 

To  encourage  private  sector  participation,  the  I3P  would  engage  influential 
industry  leaders  in  leading  the  organization  and  in  shaping  its  strategy  and  program: 

•  A  board  of  directors  would  govern  the  I3P.  The  directors  would  include 
prominent  Chief  Executive  Officers  (CEOs)  from  the  companies  that  operate 
the  critical  infrastructure  sectors  and  supply  information  technology.  Their 
participation  is  essential  to  engaging  industry  in  the  DP’s  planning  and 
program  execution. 

•  The  I3P  CEO  would  be  chosen  by  and  report  to  the  board  of  directors.  The 
CEO  would  be  responsible  for  allocating  funds  and  for  the  successful 
execution  of  the  I3P  program.  The  CEO  would  be  a  prominent,  national 
figure,  and  a  respected  peer  of  the  directors,  able  to  attract  talent  and  to  work 
effectively  with  the  executive  and  legislative  branches  of  government. 

•  Corporate-govemment-academic  steering  groups  would  provide  liaison  with 
infrastructure  providers,  hardware  and  software  suppliers,  and  other  research 
organizations.  They  would  advise  the  CEO  in  developing  the  DP’s  R&D 
agenda,  and  in  shaping  its  other  activities.  The  steering  groups  would  include 
Chief  Technology  Officers  (CTOs)  and  government  executives  who  would 
assist  in  gaining  support  and  collaboration  from  their  organizations. 

Linkages  with  the  responsible  government  agencies  would  be  established  through 
the  governance  structure,  ongoing  working  relationships,  and  the  sponsoring  office: 


S-7 


Some  of  the  I3P  s  chrectore  would  be  drawn  from  the  National  Information 
ssurance  Council,  which  will  include  senior  executives  and  experts 
appointed  to  advise  the  President  on  broad  strategies  and  program  priorities. 

The  I3P’s  charter  would  permit  it  to  accept  tasks  and  funding  from 
government  agencies  for  specific  study  efforts  in  support  of  government 
strategy,  planning,  and  coordination  efforts  in  the  infrastructure  protection 

The  I3P  would  receive  its  government  funding  and  liaison  support  from  a 
sponsoring  organization  in  the  Executive  Branch.  Preferably  the  sponsor 
would  be  located  in  the  Executive  Office  of  the  President  in  order  to 
emphasize  its  inter-agency  character,  but  the  sponsor  might  also  be  within  a 
related  government  R&D  activity.  Other  Executive  Branch  entities,  as  well  as 
private  firms,  could  provide  additional  funding  for  specified  I3P  activities. 

An  interagency  oversight  and  coordination  council  would  review  the  DP’s 
budget  and  broad  programmatic  priorities.  The  council  also  would  be 
responsible  for  promoting  effective  working  relationships  between  the  DP  and 
relevant  government  agencies.  The  council  would  include  representatives  from 
the  National  Security  Council,  the  Office  of  Science  and  Technology  Policy 
e  Commerce  Department,  the  Defense  Department,  the  National  Science 

protectioT’  ^  3gencieS  ^  responsibilities  for  infrastructure 


This  concept  of  operations  for  DP  builds  on  the  PCAST’s  original  proposal  and 
the  ideas  and  concerns  shared  by  experts  in  infrastructure  protection  and  information 
assurance.  This  concept  is  best  viewed  as  a  starting  point  for  developing  a  more  detailed 
implementation  approach.  Specific  implementation  proposals  should  be  evaluated  in 
terms  of  their  ability  to  cany  out  the  mission  and  necessary  functions  identified  here. 


S-8 


INTRODUCTION 


The  United  States  is  highly  dependent  on  certain  basic  service  sectors  that 
comprise  the  nation’s  economic  and  social  infrastructures.  Every  business,  industrial 
facility,  and  household  operates  within  a  decentralized,  but  interconnected,  economic 
system  that  provides  information  and  communications  services;  gas,  oil,  and  electric 
energy;  transportation;  banking  and  financial  services;  and  safe  water  supply,  public 
services,  and  a  modem  public  health  system.1  In  1997,  after  a  yearlong  review,  the 
President’s  Commission  on  Critical  Infrastructure  Protection  found  that: 

Certain  of  our  infrastructures  are  so  vital  that  their  incapacity  or 
destruction  would  have  a  debilitating  impact  on  our  defense  and  economic 
security....  The  threat  of  infrastructure  attacks  therefore  has  the  potential 
for  strategic  damage  to  the  United  States.2 

Since  the  Commission’s  report,  government,  industry,  and  academia  have  shown 
increased  awareness,  concern,  and  action  regarding  infrastructure  protection.  Many 
experts  believe  that,  despite  the  steps  taken  thus  far,  the  vulnerabilities  in  the  nation’s 
infrastructures  are  still  growing  more  rapidly  than  our  efforts  to  address  them,  and  that 
much  more  needs  to  be  done. 

This  paper  assesses  one  important  recent  proposal.  In  December  1998,  the 
President’s  Committee  of  Advisors  on  Science  and  Technology  (PC AST)  recommended 
establishing  a  Laboratory  for  National  Information  Infrastructure  Protection  (LNIIP)  to 
perform  research  and  related  functions  in  support  of  critical  information  infrastructure 
protection.  The  proposal  focused  on  R&D  and  related  functions  that  the  PCAST  believes 
are  not  performed  adequately  today.  Our  assessment  of  the  PCAST’ s  proposal  provides 
an  independent  survey  of  the  functions  needed  for  information  infrastructure  protection, 
and  an  assessment  of  the  adequacy  of  ongoing  activities.  Our  review  concludes  that  there 


1  These  are  the  infrastructures  identified  in  PDD-63  and  differ  only  slightly  from  those  considered  by  the 
PCCIP.  See  White  Paper:  The  Clinton  Administration ’s  Policy  on  Critical  Infrastructure  Protection: 
Presidential  Decision  Directive  63,  Executive  Office  of  the  President,  May  1998. 

2  President’s  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
America’s  Infrastructures,  1997,3,24. 


1 


IS  a  need  for  a  new  organization  along  the  lines  of  the  LNIIP 
the  proposed  functions. 


to  perform  at  least  some  of 


This  study  was  commissioned  in  support  of  a  broader  government  review  led  by 

the  Office  of  Science  and  Technology  Policy  (OSTP).  In  February  1999  when  the 

Pres, dent  responded  to  the  PCAST  proposal,  he  directed  his  OSTP  staff  to  address  three 
key  questions.3 


Is  there  an  existing  research  and  development  facility,  either  inside  or  outside 
the  federal  government,  that  might  already  be  able  to  take  on  this  function? 

Do  researchers  and  members  of  industry  in  the  private  sector  also  see  a  need 
for  such  an  organization,  and  what  are  their  concerns  and  recommendations? 


Should  it  become  apparent  that  the  creation  of  the  LNIIP  is  the  best 
alternative,  how  would  the  laboratory  function,  how  might  it  recruit  (or  train) 
the  necessary  talent,  and  how  would  its  work  complement  and  coordinate  with 
research  and  development  efforts  elsewhere  in  the  public  and  private  sectors? 


These  questions  have  provided  the  broad  organizing  framework  for  IDA’s  review 
Hie  revrew  was  conducted  in  two  phases.4  In  Phase  1,  IDA  sought  to  identify  those 
research-related  requirements  for  critical  information  infrastructure  protection  that  were 
not  being  met.  Based  on  extensive  consultation  with  experts  in  industry,  academia,  and 
government,  IDA  identified  four  functional  areas  requiring  greater  effort: 


•  Executing  and  deploying  research  and  development 


•  Establishing  a  two-way  street  for  public-private  information  sharing 

•  Providing  product  and  services  evaluation  benchmarks  and  tools 

•  Supporting  the  education  and  training  of  an  information  assurance  community 


«  TT  for  Scien“  ”d  T“h"»l»sy  tasked  the  Institute 


2 


An  overarching  finding  was  that  the  new  organization  must  be  able  to  shape  a 
national  agenda  and  broadly  integrate  across  sectors  and  functions.  It  must  motivate 
strong  and  balanced  public  and  private  participation.  Overall  success  will  be  measured  by 
how  well  these  essential  crosscutting  functions  are  accomplished. 

Phase  2  of  the  study  refined  the  definitions  of  the  four  functions  and  considered 
how  they  might  be  performed.  The  review  team  augmented  the  findings  of  Phase  1  with 
assessments  of  the  current  state  of  understanding  of  vulnerabilities  and  a  review  of  the 
existing  activities  and  gaps  within  each  of  the  four  functional  areas.  Following  this,  the 
team  explored  several  organizational  structures,  including  the  potential  for  performing  the 
functions  in  a  new  organization  versus  assigning  them  to  existing  organizations.  We 
developed  a  tentative  concept  of  operations  for  the  proposed  new  organization 

Our  assessments  and  findings  are  presented  as  follows.  Part  I  outlines  the  context 
for  this  study  and  summarizes  the  views  of  the  experts  interviewed.  Chapter  1  provides  a 
brief  overview  of  the  PC  AST’s  proposal.  Chapter  2  presents  the  experts’  assessments  of 
the  PCAST  proposal  as  well  as  their  perspectives  on  related  information  infrastructure 
issues. 

Part  II  presents  our  assessment  of  the  current  state  of  knowledge  regarding 
infrastructure  vulnerabilities,  as  available  in  unclassified  form.  Chapter  3  begins  with  a 
look  at  information  system  and  network  issues  common  across  infrastructures.  Chapter  4 
focuses  in  greater  depth  on  specific  sectors. 

Part  III  summarizes  our  examination  of  each  of  the  four  functional  areas.  The 
purpose  of  this  work  is  to  clarify  needs  in  each  area  and  to  assess  the  adequacy  of  current 
activities.  Chapter  5  provides  an  overview  of  our  approach  and  identifies  the  activities 
that  are  reviewed.  These  represent  our  baseline  for  determining  what  new  initiatives 
might  be  needed.  The  following  four  chapters  then  focus  on  each  of  the  four  functional 
areas:  research  and  development  (Chapter  6),  information  sharing  (Chapter  7),  product 
and  service  evaluation  methods  and  tools  (Chapter  8),  and  education  and  training 
(Chapter  9). 

Part  IV  evaluates  the  case  for  establishing  a  new  organization  to  perform  the 
needed  functions  identified  in  Part  III.  Four  broad  alternatives,  including  their  potential 


3 


stengths  and  weaknesses,  are  outlined  in  Chapter  10.  Chapter  1 1  then  outlines  a  concept 

of  operations  for  the  proposed  Institute.  Appendixes  provide  additional  supporting 
materials.  6 


4 


PART  I 

THE  EXPERTS’  VIEWS  ON  THE  PCAST  PROPOSAL 


Chapter  1 

BACKGROUND:  THE  PCAST  PROPOSAL 


In  May  1998,  the  President  responded  to  the  recommendations  of  the  President’s 
Commission  on  Critical  Infiastructure  Protection  (PCCIP),  issuing  Presidential  Decision 
Directive  63  (PDD-63).  The  directive  expressed  the  President’s  intent  that  the  critical 
infrastructures,  and  especially  the  underlying  cyber  systems,  be  protected  from  significant 
vulnerabilities  to  physical  and  cyber  attacks.1  The  document  called  for  a  public-private 
partnership  and  defined  a  liaison  structure  matching  lead  federal  agencies  with  private 
sector  counterparts  in  each  infrastructure  sector.  It  called  for  a  National  Infrastructure 
Assurance  Council  to  ensure  high-level  federal  contact  with  major  infrastructure  owners 
and  state  and  local  government  officials.  It  proposed  that  each  economic  sector  create  an 
information  sharing  and  analysis  center  (ISAC)  and  designated  certain  agencies  to  serve 
as  liaisons  with  key  infrastructure  sectors.  PDD-63  also  established  mechanisms  for 
interagency  coordination  at  the  federal  level.  Individual  agencies  were  responsible  for 
developing  plans  for  protecting  the  federal  infrastructures,  with  OSTP  providing  overall 
oversight  and  coordinating  government  research  and  development  activities. 

In  a  letter  to  President  Clinton  on  December  10,  1998,  the  President’s  Committee 
of  Advisors  on  Science  and  Technology  (PCAST)  proposed  an  additional  step:  the 
establishment  of  a  new  organization  to  generate  and  disseminate  knowledge  related 
specifically  to  the  cyber  vulnerabilities  of  the  nation’s  critical  infrastructures.  2  This 
Laboratory  for  National  Information  Infrastructure  Protection  (LNIIP)  would  be  a 
research  and  development  center  and  would  perform  various  functions  related  to 
information  infrastructure  protection  but  would  not  be  involved  in  operations  or 
implementation.  The  LNIIP  would  be  a  federally  funded,  not-for-profit  organization  with 
private  sector  advisors  and  support. 


1  See  White  Paper:  The  Clinton  Administration’s  Policy  on  Critical  Infrastructure  Protection: 
Presidential  Decision  Directive  63,  Executive  Office  of  the  President,  May  1998,  1. 

2  The  PCAST’s  letter  to  President  Clinton  (December  10,  1998)  is  included  in  Appendix  A. 


1-1 


technology  **  t0  C°nduCt  research  “d  develop 

“-age  by  hostile  ^  ^  ^  Pe^on 

organization  would  also  address  protection  rf,i,Crime’  ^  determined  hackers-  The 

major  disruptions  due  to  natural  instah'i  v  ■  "*  C°mplex’  nonIil>ear  networks  from 
failings.  “  ,nS,ab,',,leS'  lntemal  «*»  weaknesses,  and  human 

The  PCAST  identified  a  number  of  tasks  for  fire  LNIIP  ,0  pursue- 

‘  ££?££  “tt  otJir*r 

complex  systems,  and  create  the  meaner  r°bustoess  and  whence  of  such 
stress.  6  ""  mea”s  ,0  ass“-«  gmcefifi  degradation  under 

*  »dt™st“ive:!rlTdto  r*  •**  ^  <-»«-- 

software,  and  procedtiS  1<>P  ““  depIo>'  ”ew  Oology  equipment, 

‘  clearinghous^for  ZZyZ^ZZ  » dT  ““  -  a 

best  practice  information;  and  carry  out  trai  .Xpenencf’  set  ^d  disseminate 
certify  performance.  mn®  exercises  and  inspections  to 

The  proposed  organizational  structure  for  the  T  mttd  •  j  •  , 

independent  board  of  directors  composed  of  leaders  ftom  1  ^  f  '''' 

supplier  and  customer  industries  »nd  fi-  ,  the  lnformatlon  technology 

Coordinafing  CommitL  ^hL fT  g0™”  LNnP-  A  Federal 

Council,  would  ’ 

$  1 00  million,  would  be  provided  through  the  Off  *•»,  mg’  Whch  ra,8ht  grow  to 

An  industry  advisory  committee  would  also  provident  T8"”""'  ““  BUd8et  (0MB)' 
serve  clients  in  the  government  and  th  •  oversight.  The  LNIIP  would 

financial  support  ftom  the  latter  ‘  P"Vate  **  W0“Id  eventuaI|y  generate 


1-2 


Figure  1-1.  PCAST’s  Proposed  Organization 

A  Federal  Coordinating  Committee  would  define  the  LNIIP’s  research 
requirements.  The  LNIIP  would  interact  with  federal  and  private  sector  users  to  give  them 
a  role  in  shaping  the  work  program.  The  technical  program  would  focus  on  the  following 
topics: 

•  Vulnerability  detection  and  analysis 

•  Security  architectures  and  simulation  systems 

•  Encryption  and  authentication  systems 

•  Intrusion  detection  and  warning  systems 

•  System  recovery 

•  Component  and  software  security  assurance 

•  Best  practices  for  product  evaluation 

•  Training 

•  Human  interface  with  complex  systems 


1-3 


The  PC  AST-proposed  LNUP  provided  the  starting  point  and  focus  for  the  IDA 

the  PCAST  2£r  ”  n  '  T*  ChaP,erS>  IeVieW  C°nSidered  "**“»*»  to 

the  PCAST  model,  as  well  as  substantially  different  structural  alternatives 


1-4 


Chapter  2 

THE  EXPERTS’  VIEWS  ON  THE  PCAST  PROPOSAL 

Between  May  and  September  1999,  the  IDA  study  team  interviewed 
representatives  of  industry,  government,  and  academia,  including  members  of  the  policy 
community  and  the  PCAST,  to  gather  their  views  concerning  the  PCAST  proposal  and 
related  issues.1  The  interviews  focused  on  the  questions  posed  in  the  President’s  February 
1999  response  to  the  PCAST  proposal  and  related  issues.2  The  IDA  study  team 
supplemented  the  interviews  with  workshops  in  June  and  September.  These  provided 
opportunities  for  experts  to  discuss  the  PCAST  proposal  and  to  suggest  other  approaches. 
In  addition,  IDA  drew  on  a  White  House  conference  that  included  the  President’s  Science 
Advisor,  the  National  Coordinator  for  Critical  Infrastructure  Protection  and 
Counterterrorism,  PCAST  members,  and  the  Chief  Technology  Officers  from  fifteen 
major  information  technology  firms. 

In  summarizing  the  results  of  these  activities,  we  have  grouped  the  experts  into 
three  broad  categories,  roughly  corresponding  to  industry,  academia,  and  government. 
The  industry  representatives  include  information  technology  (IT)  vendors  (namely, 
software  and  hardware  developers  and  manufacturers),  infrastructure  operators  (including 
utilities,  telecommunications  companies,  and  internet  service  providers),  and  end  users 


1  In  all,  more  than  100  experts  contributed  to  this  study.  A  list  of  interviewees  and  workshop  participants 

can  be  found  in  Appendix  B. 

2  The  IDA  interviewers  posed  five  questions: 

■  What  organizations  and  programs  are  currently  addressing  the  problem  of  information 
infrastructure  protection,  and  how  effective  are  they? 

■  What  are  the  major  gaps  and  limitations  in  existing  research  and  development  programs, 
approaches  to  developing  and  deploying  new  technologies,  and  education  and  training?  What 
factors  contribute  to  these  deficiencies? 

■  What  is  the  appropriate  role  of  government  in  finding  or  facilitating  fixes  for  these  deficiencies? 
What  role  should  indushy  and  academia  play? 

■  Is  a  Laboratory  for  National  Information  Infrastructure  Protection  the  right  approach? 

■  What  other  organizational  models  might  better  serve  the  goal  of  enhancing  the  security  of  the 
nation’s  information  infrastructure? 


2-1 


(such  as  insurance  companies  and  defense  manufacturers).  The  academic  category 

incudes  both  university  faculty  and  researchers  in  private  think  tanks.  Government 

interviewees  include  representatives  of  the  Department  of  Defense  (military  and  civilian) 

civilian  agencies,  national  labs,  and  Congress.  In  a  few  cases,  interviewees  spm 

categories— a s  m  the  case  of  former  government  officials  now  employed  in  think  tanks, 

universities,  or  business-and  their  responses  are  occasionally  divided  between  categories 

depending  on  which  community  they  were  speaking  for  when  they  expressed  their  views 
on  a  given  issue. 

A.  NATURE  OF  THE  CHALLENGE 

Experts  share  the  conviction  that  vulnerabilities  in  the  nation’s  information 
astructure  pose  a  danger  to  both  the  national  security  and  the  economic  health  of  the 
natron.  Current  views  reflect  a  dramatic  increase  in  the  level  of  understanding  and 
awareness  of  infrastructure  vulnerabilities  in  recent  years.  The  experts  characterize  the 
fundamental  underlying  problem  as  stemming  from  the  rapid  decentralized  growth  in 
networked  rnformation  systems.  No  one  fully  understands  the  behavior  of  the  networks 
at  have  been  created,  the  interactions  among  them,  or  how  they  interact  with  the 
physical  systems  they  control.  At  the  same  time,  there  has  been  too  little  emphasis  on 
esta  rs  ng  the  desrgn  principles  and  engineering  tools  for  building  networks  that 
rncorporate  robustness,  assurance,  and  security,  hr  subsequent  chapters,  we  will  survey 
current  assessments  of  vulnerabilities. 

In  examining  possible  initiatives  to  address  vulnerabilities  in  today’s  complex 

information  networks,  the  experts  see  major  challenges  in  defining  responsibilities  and 

working  relationships  among  government,  industry,  and  academia.  Gaps  in  research  exist 

ay  because  existing  competitive  mechanisms  (in  both  commercial  markets  and 

research  communities)  typically  do  not  fond  long-term  research  or  research  on  the  kinds 

o  road  systems-of-systems  issues  that  often  give  rise  to  vulnerabilities.  There  are 

important  crosscutting  issues  that  are  too  broad  and  too  complex  for  industry  or  academia 
alone  to  tackle. 

There  is  wide  agreement,  therefore,  that  the  government  should  play  a  leading  role 
m  any  coordinated  national  response  to  these  vulnerabilities  as  a  function  of  its  obligation 
to  protect  the  national  security  of  the  nation.  In  particular,  the  government  has 
responsi  i  lty  to  improve  the  understanding  and  awareness  of  vulnerabilities  and  the 
crucial  links  between  improved  information  assurance  and  national  defense.  At  the  same 


2-2 


time,  an  effective  R&D  program  will  require  active  industry  involvement,  and  industry 
must  take  the  lead  in  addressing  the  vulnerabilities  identified. 

There  are  major  barriers  to  establishing  cooperative  relationships,  not  just 
between  government  and  industry — which  is  in  itself  daunting — but  within  industry, 
which  could  prove  as  difficult,  if  not  more  so.  Cooperation  has  been  problematic  in  the 
intensely  competitive  business  environment.  In  addition,  legislators  need  to  address  the 
statutory  restrictions  current  anti-trust  laws  place  on  industry  cooperation. 

Fortunately,  the  business  community  has,  over  the  past  few  years,  come 
increasingly  to  recognize  the  potentially  catastrophic  costs  related  to  information 
infrastructure  Vulnerabilities.  The  level  of  private  sector  energy  and  resources  devoted  to 
information  assurance  is  increasing  (one  source  reported  the  information  assurance 
market  has  grown  fourfold  between  1996  and  1999),  and  industry  collaboration — both 
internally  or  with  government  and  universities— is  beginning  to  take  hold  (particularly  in 
the  banking  and  financial  sectors). 

These  developments  suggest  the  time  is  right  for  engaging  industry  in  a 
collaborative  effort.  Corporate  executives  caution,  however,  that  progress  will  require 
careful  consideration  of  the  equities  of  all  the  parties  involved  and  focused  efforts  to 
transcend  cultural  boundaries  and  eliminate  legal  boundaries  to  cooperation.  Currently, 
government,  industry,  and  the  academic  communities  (and  sub-groups  within  each  of 
those  communities)  view  information  infrastructure  vulnerability  from  different 
perspectives,  and  as  a  result,  each  tends  to  conclude  that  the  others  do  not  fully 
understand  the  severity  and  complexity  of  the  challenge. 

We  found  agreement  on  two  additional  issues  regarding  the  scope  and  nature  of 
the  problem:  1)  that  infrastructure  vulnerabilities  pose  a  multidimensional  problem  that 
demands  creative  and  interdisciplinary  approaches  extending  beyond  software  and 
hardware  engineering  to  basic  science,  sociology,  ethics,  and  law;  and  2)  that  the  constant 
evolution  of  information  technology  makes  efforts  to  address  such  vulnerabilities  a 
rapidly  moving  target,  or  more  accurately  a  set  of  targets  that  will  continue  to  defy 
permanent  or  one-size-fits-all  solutions.  These  two  insights  constitute  fundamental 
principles  that,  combined  with  the  awareness  that  the  nation’s  security  depends  on  the 
establishment  of  a  secure  information  infrastructure,  should  underlie  any  attempt  to  craft 
an  institutional  response  to  the  challenge  of  protecting  the  national  information 
infrastructure. 


2-3 


B.  WHAT  IS  TO  BE  DONE? 

The  experts  support  creation  of  an  organization  that  would  map  out  key 
networked  information  systems,  explore  the  behavior  and  vulnerabilities  of  such  complex 
systems-of-systems,  and  develop  technologies  and  methods  for  addressing  vulnerabilities. 
They  identified  a  number  of  research  areas  where  gaps  and  limitations  in  current 
understanding  need  to  be  addressed.  The  functional  areas  that  are  not  adequately  covered 
by  existing  organizations  or  programs  fall  into  four  areas: 

1 .  Executing  research  and  development  and  fielding  the  results 

2.  Establishing  a  two-way  street  for  public-private  information  sharing 

3.  Fostering  improved  evaluation  of  product  and  services 

4.  Supporting  the  education  and  training  of  a  pool  of  information  assurance 


We  examine  each  of  these  four  functional  areas  in  detail  in  Part  III  of  this  report. 

Beyond  these  specific  functions,  the  experts  believe  that  the  core  mission  of  any 
new  organization  should  be  to  help  formulate  a  national  strategy  that  integrates  effort 
across  economic  sectors  and  among  the  publie,  private,  and  academic  research 
communities  and  places  heavy  emphasis  on  the  dissemination  application  of  new 
ow  e  ge.  While  a  great  deal  of  work  is  ongoing  in  the  information  assurance  area — in 
government,  industty,  and  academia-the  mechanisms  for  integrating  and  fielding  new 
breakthroughs  remain  inadequate.  As  one  interviewee  noted,  the  state  of  the  nation's 
information  assurance  could  advance  dramatically  if  only  we  were  to  get  what  researchers 

and  engineers  already  know  into  the  marketplace. 

Many  of  the  experts  we  consulted  stressed  the  need  to  integrate  activities.  They 
noted  that  federal  efforts  in  this  realm  have  yet  to  gain  the  confidence  and  support-and 
sometimes  even  the  attention--of  industry.  Executives  believe  federal  responses  thus  far 
have  been  poorly  coordinated  and  underfunded,  suffering  overall  form  the  absence  of  a 
coherent  national  strategy.  Executives  also  see  a  lack  of  a  concrete  commitment  at  the 
highest  level  of  government  backed  by  the  kind  of  long-term  funding  allocations  that 
would  indicate  that  the  federal  government  is  serious  about  tackling  the  problem  over  the 
very  long-term.  Numerous  organizations  within  government  are  currently  addressing 
some  aspect  of  the  information  assurance  problem,  but  outside  government  (and,  to  some 
extenf  even  within  government)  these  efforts  are  perceived  as  marginally  effective  at 
best.  They  lack  a  single,  highly  placed  advocate  to  provide  focus  and  interface  with  the 


2-4 


private  sector.  In  short,  until  someone  in  government  “owns”  responsibility  for 
integrating  public  and  private  approaches  to  addressing  the  problem  of  information 
assurance  and  fostering  concrete  and  effective  responses,  industry  is  unlikely  to  recognize 
that  not  just  their  bottom-line  but  the  overall  security  of  the  nation  is  at  stake. 

C.  IS  A  LABORATORY  THE  BEST  ORGANIZATIONAL  APPROACH? 

At  the  conclusion  of  our  Phase  1  review,  it  was  clear  that  the  level  of 
understanding  and  concern  among  experts  about  information  infrastructure  vulnerabilities 
has  expanded  significantly  in  the  last  3  years.  It  was  equally  clear  that  there  is  support  for 
some  level  of  government  action  to  jump-start  the  important  new  functions  that  need  to 
be  performed.  There  was,  however,  no  consensus  on  whether  die  creation  of  a  new 
organization  would  be  helpful  in  performing  the  needed  functions.  The  experts  offered 
widely  ranging  views  on  possible  alternatives  to  the  PCAST-proposed  laboratory.  Some 
contended  that  a  new  organization  is  not  needed  and  that  expanding  the  programs  of 
existing  is  enough  to  fulfill  the  needed  functions.  Others  favored  assigning  those 
functions  to  a  new  government  agency.  There  was  also  support  for  attempting  to  create  an 
industry  consortium  to  perform  these  responsibilities. 

Those  who  supported  the  PCAST’s  laboratory  model  cited  a  number  of  key 
research  areas  that  need  the  kind  of  unbiased  attention  that  a  government-sponsored 
laboratory  is  most  likely  to  give.  In  some  crucial  areas,  such  as  understanding  networked 
information  systems  as  end-to-end  systems-of-systems,  there  was  a  sense  that  only  a 
dedicated  laboratory  could  devote  the  attention  and  resources  necessary  to  see  complex 
research  problems  through  over  the  long  term.  Several  interviewees  also  cited  important 
work  already  underway  at  Department  of  Energy  Labs  (Livermore,  Sandia)  as  examples 
of  the  kind  of  work  that  can  be  done  only  in  such  an  environment.  Proponents  raised 
several  additional  considerations  that  might  make  a  laboratory  desirable.  These  include 
the  need  to  establish  an  evaluation  capability,  such  as  that  provided  by  Underwriters 
Laboratories,  for  information  assurance;  the  government’s  unique  qualifications  as  an 
“honest  broker”  and  facilitator  of  information  sharing;  its  long  experience  dealing  with 
classified  and  sensitive  information;  and  its  already  sophisticated  threat  assessment 
capabilities. 

Interviewees  who  disagreed  with  the  PCAST  proposal  often  objected  specifically 
to  the  notion  of  its  being  a  “laboratory.”  To  them,  this  connoted  the  creation  of  a  new 
facility  and  building  and  a  large  onsite  staff  of  information  technology  experts. 


2-5 


rrr  rerai "  “  *  «* « 

creation  of  u  8  Start’UP  C°StS’  (2)  the  shortaSe  of  qualified  talent  (which 

laboratory  ^0“  1“  W0,Se)’  ®  ^  °f  1 >  ~em 

«  ^  •*  zl;  (5n:  jzzs 

organrzabo™,  impediments  ,0  effective  public-pnvale  cooperation  (Lctading  ^l“f 
Ration  Act  concent,  copyrights,  ticking,  and  other  intellectual  prope^I^ 

(  )  e  risk  that  a  new  organization  would  drain  resources  (especially  government  R&D 

umversrtres,  and  exrsting  government  laboratories.  Stry' 

.aborat^r^plTen^oT'"  T  ™W  ** 

mainstream  and  h  become  d‘V°rCed  from  the  acade™a  and  business 

—  3  P°°r  reC°rd  of  commercia]izing  tire  technologies  they  develop 

try  representatives  voiced  further  concern  that  “mission  creep”  might  ultimately  lead 

« 1  .  J7'  dd  tl0n’  there  was  a  general  sense  that  bureaucracy  funding 

^ems,  interference  horn  die  intelligence  and  law  enforeemen,  comm^ti^ 

newgovenunent  ^  **  g°Vemmeat  s^ms  were  secure  would  hobble  any 

government  organization.  As  a  result,  almost  eveiyone  interviewed  said  that  a„v 

organization  should  be  established  outside  government  with  carefully  structured  fuZT" 

so  that  industry  sees  i,  as  a  partner  rafter  than  as  a  potential  economil  c^tor 

R  IF  NOT  A  LABORATORY,  THEN  WHAT  KIND  OF  ORGANIZATION? 

Although  there  was  considerable  resistance  to  the  idea  of  „  „„ 
iaboratory,  we  found  that  die  experts  agreed  with  die  PCAST  on  boih  ,h 
cwirdinadon  between  public  and  private  efforts  to  ensure  die  security  7 dieWs 

trr  m^,rac,ure  38  weu  35  °n  fte  bask  ^  ^ 

::rr  r  ^ raee' ,hose  needs-  ^  » ~i, ,» 

currently  not  addressed  by  industiy  or  government,  and  ,i  “.tag  ZnTw  or^ zationTo! 


2-6 


small  in-house  staff  combined  with  a  strong  external  program — yielded  a  version  of  the 
PCAST  proposal  that  found  considerable  support.  This  report  evaluates  this  modified 
PCAST  model — what  this  report  refers  to  as  file  I3P  (Institute  for  Information 
Infrastructure  Protection)— instead  of  the  “laboratory”  model. 

Several  other  models  were  also  suggested  and  discussed  by  the  experts.  In 
Chapter  10  we  define  and  evaluate  four  broad  structural  alternatives  that  represent  the 
range  of  ideas  presented  in  our  interviews  and  workshops.  The  four  alternatives 
evaluated  are: 

■  The  I3P,  as  described  above  (government-funded,  private  organization) 

■  a  programmatic  initiative  that  would  expand  funding  for  current  efforts  within 
existing  organizations 

■  a  new,  mission-focused  government  agency  or  office,  and 

■  a  purely  private  sector  consortium. 

The  experts  emphasized  that  creating  a  new  organization  will  help  only  if  it 
represents  a  demonstrable  improvement  over  existing  organizations — after  all,  a  program 
initiative  funding  additional  work  within  existing  organizations  is  the  most 
straightforward  approach.  In  addition,  a  new  research  organization  that  is  one  among 
many  peers  in  this  area  will  not  accomplish  the  needed  coordination  and  integration. 
Taking  a  leadership  role,  a  new  organization  would  need  to  help  forge  a  national  strategy 
for  protecting  the  nation’s  information  infrastructure,  integrate  across  the  existing 
activities,  and  accelerate  industry’s  application  of  new  technologies  and  practices. 

Chapter  10  evaluates  each  of  the  four  structural  alternatives  using  these  and  other 
specific  evaluation  criteria.  This  detailed  assessment  concludes  that  the  PCAST’ s 
proposal,  as  modified  to  form  the  I3P,  is  the  approach  that  best  reflects  the  characteristics 
identified  by  the  experts  in  our  interviews  and  workshops.  These  are  summarized  in  the 
following  paragraphs. 

1.  A  Strong  Private-Sector  Role 

Most  experts  advise  that  the  key  challenge  in  information  infrastructure  protection 
is  to  engage  firms  to  share  information  and  collaborate  among  themselves  as  well  as  with 
the  universities  and  the  government.  To  accomplish  this,  the  new  organization  should  be 
a  not-for-profit  private  organization  with  a  board  of  directors  drawn  from  industry  (and 
including  vendors,  infrastructure  operators,  and  end-users)  along  with  direct  and  regular 

2-7 


access  to  national  leaders,  including  the  President,  Departmental  Secretaries,  and 
responsible  members  of  Congress. 

Companies  are  waiy  of  sharing  information  with  the  government,  suspecting  it 
may  lead  to  regulator  interference,  law  enforcement  intrusion,  or  public  disclosure.  A 
properly  structured  organization  located  in  the  private  sector  could  effectively  facilitate 
information  sharing.  Moreover,  a  private-sector  organization  would  not  be  constrained  by 
government  pay  and  personnel  policies  and  would  be  better  able  to  attract  needed  talent. 
It  would  not  be  overly  burdened  by  government  budgeting  and  procurement  policies  and 
thus  could  respond  flexibly  in  the  dynamic  information  technology  environment. 


2.  Strong  Leadership,  Lean  Staffing,  and  Strategic  External  Relations 

An  effective  and  influential  organization  would  have  the  following  key  attributes: 

A  director  of  sufficient  stature  and  charisma  to  attract  the  best  and  brightest 
talflt:  engage  suPP°rt  and  participation  of  key  corporate  CEOs,  and  wield 
sufficient  influence  with  both  the  executive  branch  and  Congress.  Likewise 
the  organization’s  Board  members  should  be  individuals  widely  known  for 
their  vision  and  political  sophistication. 

•  A  small  permanent  staff  augmented  by  a  larger  staff  of  information  assurance 
experts  and  engineers  who  rotate  in  from  industry,  academia,  and  government. 
Such  a  rotating  staff  serves  two  purposes— it  keeps  the  institution  tied  to  the 
outside  world  and  ensures  that  its  research  program  will  keep  up  with  the 
rapid  pace  of  technological  change. 

•  A  business  model  that  is  compatible  with  that  of  the  information  technology 
industry.  The  IT  industry  is  culturally  quite  different  from  the  heavy  industries 
(aerospace,  automotive,  chemical)  that  previously  have  been  the  prime 
government  contractors,  accustomed  to  security  and  accounting  requirements, 
in  particular,  the  a  new  organization  would  need  to  be  empowered  (probably 
by  statute)  to  operate  outside  standard  (and  cumbersome)  government 
contracting  and  auditing  procedures  and  mechanisms  would  need  to  be 
established  to  address  industry  concerns  over  intellectual  property  rights. 

•  A  physical  or  virtual  connection  with  one  or  more  high-tech  centers  (Silicon 

alley,  Austin,  Chicago,  Northern  Virginia,  or  Boston).  Some  experts 
suggested  that  a  “virtual  laboratory”  linking  academic  and  industry  research 
facilities  would  be  adequate.  Others,  however,  held  that  the  establishment  of  a 
physical  center  in  close  proximity  to  industry  and  academic  centers  of 
excellence  would  probably  be  necessary. 


2-8 


3.  Stimulating  Research  Environment 

A  core  of  smart  people  working  on  inherently  interesting  problems  combined  with 
an  exciting  and  innovative  research  agenda  will  attract  interest  and  talent.  Early 
breakthroughs,  however  limited,  could  also  attract  new  talent. 

4.  Direct  Partnership  with  Industry 

The  governing  structure  of  any  new  organization  must  be  truly  public-private, 
with  “captains  of  industry”  sitting  on  the  Board  of  Directors  and  committed  to  supporting 
its  information  protection  mission  over  the  long  term.  The  partnership  must  be  proactive 
and  spur  real  public-private-academic  cooperation  rather  than  merely  bringing  existing 
activities  under  a  single  administrative  and  funding  umbrella. 

5.  Committed,  High-Level  Government  Sponsorship 

There  was  agreement  that  any  new  organization  would  require  a  strong 
partnership  with  the  government.  The  sponsoring  agency  would  need  the  institutional 
clout  to  protect  the  organization’s  interests  in  the  interagency  process  as  well  as  with 
Congress,  some  experience  in  managing  long-term  R&D  programs,  and  a  strong 
commitment  to  the  mission.  The  Executive  Office  of  the  President,  the  Department  of 
Defense,  and  the  Department  of  Commerce  were  most  often  mentioned  as  the  logical 
sponsors  of  such  an  organization. 

A  majority  of  the  experts  we  interviewed  agreed  that  the  Department  of  Defense 
has  the  best  record  of  overseeing  managed  research  and  development  and  technology 
transfer  and  has  the  institutional  clout  to  defend  the  new  organization  and  its  mission  in 
the  interagency  process  and  promote  its  interests  in  Congress.  There  were  strong 
concerns,  however,  especially  among  industry  representatives  and  university  researchers, 
that  the  research  agenda  of  an  organization  associated  with  DoD  would  be  captive  to 
military  and  intelligence  collection  priorities  of  its  sponsor  rather  than  broader  private 
sector  vulnerabilities.  DARPA  was  often  mentioned  as  the  Defense  agency  best  suited  to 
sponsor  the  new  organization,  but  many  interviewees  deemed  it  too  small  and  too  focused 
on  development.  Some  argued  that  DARPA  is  not  set  up  to  oversee  long-term  research 
(over  5  years).  And,  some  noted,  DARPA  would  inherit  most  of  the  defense  baggage  that 
might  undermine  DoD  as  a  sponsor  without  the  balancing  advantage  of  the  larger 
agency’s  clout. 


2-9 


far  the  £7‘eWeeVnu  SeC'0K  COnceded  intelligence  community  has  by 

the  best  grasp  of  the  scope  and  nature  of  likely  threats,  as  well  as  big  budgets  and  a 

uge  head  start  m  mastering  the  technical  problems  involved  in  protecting  the 

mformatton  network  from  hostile  attacks.  But  indiufry  and  academia  also  view  the 

tgence  community  with  a  great  degree  of  suspicion  and  thus  do  not  regard  it  as  an 

:T;~r:onal  home  for  ,he  °verau  *  n-a**.  w0Uid 

nnponant  ami  a,  any  rate,  inevitable.  In  fact,  private  sector  representatives  go  so  far  as 

resZTIntd  ^  "  U”Iike,y  ‘°  C°0Perate  WitK  “"“"ting  standards, 

“  and  development,  or  information  sharing  in  which  the  intelligence  community 

and  law  enforcement  plays  a  central  or  visible  role.  ^ 

the  lorii?^03”?"”^  °f  “,erviewees  mentioned  Department  of  Commerce  as 
g  al  sponsor  for  such  an  organization.  It  is  the  federal  agency  with  the  closest 

working  relationship  and  cultural  empathy  with  industiy  and  business  as  well  as  with  the 

of  T  CritTcTZ1  aPPr°Priati0n  “d  °TCr^ht  eetttmittees.  I,  is  also  die  current  home 
the  Critical  Infrastructure  Assurance  Office  (CIAO)  and,  under  the  critical 

S‘mC,Ure  ^  “  PDD'63-  ^  kad  *»“*  fOT  lia^  *e 
information  and  communications  sector.  Still,  most  of  those  interviewed  (including  those 

toolUT  7”  T  ,he  SP°"SOring  agency)  believe  jt  lacks  ««ical  success 
factors.  the  interagency  clou,  to  ensure  tile  success  of  ttie  new  organization  and 

“  r0rkm8Cl0Se'yrW,,h  ^  «*  tran I 

eover,  the  ongomg  mfoimation  infrastructure  protection  efforts  within  the 

Dement  of  Commerce  are  thus  far  unproven  in  the  eyes  of  industiy.  A  few 

CZ  of  7  eXPreSSed  7““  -  a“  "light  deem  tiie 

Department  of  Commerce  too  close  to  the  intelligence  community. 

6.  Adequate  and  Secure  Funding 

Industry,  government,  and  academia  disagree  most  dramatically  over  who  should 
pay  for  research  in  die  private  and  academic  rectors.  Experts  from  indLy  and  acacia 
often  contend  dial  information  assurance  is  a  national  security  matter  for  which  the 

But  even  if  the  government  provides  the  bulk  of  the  necessaty  finding  most  industry 

»”T,  ^  “  Primari‘y  “  3  C°°rdina,0r  °f  neW  "»"***»’■  R&D  efforts 
warn  that  government  should  not  seek  to  control  the  researeh  agenda  or  its 

implementation  if  it  expects  industiy  cooperation.  Representatives  of  government,  in 


2-10 


contrast,  generally  hold  that  information  assurance  is  essential  to  the  functioning  of 
business  and  therefore  the  private  sector  should  provide  a  significant  share  of  the  human 
and  financial  resources  necessary  to  tackle  the  problem.  In  short,  while  both  sides  agree 
that  ideally  government  and  industry  should  cooperate  in  addressing  information 
infrastructure  protection,  each  thinks  the  other  should  provide  more  funding  than  it  now 
does. 

Almost  all  experts  agree,  however,  that  initial  funding  will  have  to  come  primarily 
from  government.  Any  new  organization  must  first  build  a  portfolio  of  impressive 
deliverables  in  order  to  prove  to  industry  that  any  future  investment  will  bring  real 
payoffs.  Industry  will  want  government  to  “put  its  money  where  its  mouth  is.”  Moral 
suasion  is  not  enough — only  by  putting  dollars  to  work  on  the  problem  can  government 
convince  industry  of  its  commitment.  After  the  new  organization  has  proved  its  mettle, 
greater  financial  commitment  from  business  might  be  possible  (but  should  not  be  counted 
on  in  the  near  term). 

The  experts’  views  summarized  in  this  chapter  have  focused  on  the  information 
assurance  problem  at  a  broad,  conceptual  level.  While  there  are  widely  divergent  views 
among  the  experts,  three  general  conclusions  summarize  the  current  state  of  thinking. 
First,  the  level  of  awareness  and  concern  has  grown  significantly  in  the  past  couple  of 
years.  Experts  in  government,  industry,  and  academia  now  agree  that  infrastructure 
vulnerabilities  pose  a  significant  risk  that  must  be  addressed  on  several  levels  -  to 
individual  businesses,  to  collective  industries  and  sectors,  and  to  US  national  and 
economic  security.  Second,  several  functions  need  to  be  expanded  and  strengthened  in 
order  to  better  understand  and  address  vulnerabilities.  Third,  a  new  organization  would 
strengthen  these  functions  if  it  were  structured  to  engage  industry,  academia,  and 
government  in  forging  an  integrated,  national  approach.  Of  critical  concern  is  the  need  to 
engage  industry  participants  in  designing  and  executing  the  functions. 

The  analyses  and  assessments  in  the  following  chapters  provide  a  detailed 
description  of  the  state  of  understanding  of  information  infrastructure  vulnerabilities,  the 
functions  that  need  to  be  strengthened,  and  an  explanation  of  why  the  I3P  presents  the 
best  approach  for  addressing  these  needs.  In  the  final  chapter,  we  draw  this  work  together 
in  the  form  of  a  proposed  concept  of  operations  for  the  I3P. 


2-11 


Part  II 


Growing  Awareness  of  Infrastructure  Vulnerabilities 


Chapter  3 

GAINING  AN  UNDERSTANDING  OF  CYBER  VULNERABILITIES 


It  is  now  widely  accepted  that  networked  information  systems  are  vulnerable  to 
cyber  attack  and  that  hostile  actors  are  exploring  how  they  might  take  advantage  of  that 
vulnerability.  No  one  understands  the  vulnerabilities  with  sufficient  clarity,  however,  to 
identify  all  the  steps  necessary  to  protect  the  critical  information  infrastructure.  In 
particular,  not  enough  is  known  to  build  a  business  case  for  more  private  research. 
Because  the  potential  risk  is  of  strategic  importance  for  the  U.S.,  it  is  essential  that  this 
gap  in  understanding  be  closed. 

In  this  chapter  and  the  one  that  follows,  we  review  several  current  unclassified 
assessments  of  current  vulnerabilities.  The  goal  is  to  establish  a  clearer  view  of  the  kinds 
of  research  needed  to  understand  and  address  vulnerabilities,  and  to  identify  where  the 
gaps  are  in  current  research  and  development  programs.  In  this  chapter  we  consider  the 
generic  vulnerabilities  associated  with  the  ways  business  is  employing  networked 
information  systems.  In  the  next  chapter,  we  examine  several  sectors  in  more  depth  in 
order  to  illustrate  some  of  the  ways  in  which  vulnerabilities  depend  on  the  specific 
applications  of  networked  information  systems  by  each  sector. 

A.  BACKGROUND 

In  its  1997  report,  the  PCIIP  noted  that  the  United  States  was  only  beginning  to 
understand  its  vulnerabilities.1  It  nevertheless  concluded  that  the  risk  to  the  United  States 
was  sufficient  to  require  federal  action: 

The  threat  of  infrastructure  attacks  therefore  has  the  potential  for  strategic 
damage  to  the  United  States.  Accordingly,  the  assurance  of  critical 
infrastructures  deserves  national  attention  and  leadership  by  the  federal 
government. ...  Protecting  our  infrastructures  into  the  21st  century  requires 


1  See  President’s  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations:  Protecting 
America’s  Infrastructures,  1997,  5, 6. 


3-1 


of  **  vulnerabilities  and  act 

United  States  ntust  2^^  «**  *  »°«ed  that  the 

through  an  “analytical  u^dlldt  0f  H  T  ab°U,.,hrea,S  ““  ™>“es» 
environment”  based  on  a  “systematic  *  7°' rellablll<y>  vulnerability,  and  threat 
that  “many  of  the  recognize]  °m>VSiS"  ‘he  «"  ”°tes 

infrastructure  have  not  actually  been  experienced”" ,0n  netWOTkS 

the  targeted  ^n^TbTlIri^T'a^d  '  ^  7™  thi“  10  *** has  ^  ^closed 

s~- 

Another  observer  notes  that  the  United  States  lacks  th^  PV  • 

attacks  or  their  probability  of  success.  “  *°  oxecuto  51,011 

critical  «*  *  dependence  of 

^c.osed'-ef^ 

'  ^w'are  ttee“Sr'i0n'S  ^  ~d  ~  and 


Ibid.,  6, 24. 

rffiSdl?,  ^  A  Primer  on  Risk* 

networks  m**  .VU,nerabi,ities  of  general  infonnation 

particular  sectors.  ,SSUe  here  18  mfo™at.on  specific  to  deployed  network  ™ 

lufrastnjctures,”  ^mMon  Impm 

d^SoSil:£^^^S:^fa'^“  £L “ ^ !°r. “‘7'  or  economic  «cnr1?-.  Risk 
consequences  of  exploitation.  ’  3tS  that  wou,d  exPl«'t  those  vulnerabilities,  and  the 


3-2 


•  What  are  the  systemic  vulnerabilities  in  these  structures  that  could  be 
exploited?  To  what  extent  are  vulnerabilities  unique  to  individual  sectors 
versus  common  to  two  or  more  sectors? 

•  How  seriously  could  a  cyber  attack  damage  each  of  the  infrastructure  sectors, 
i.e.,  what  would  be  the  extent  of  the  damage,  the  recovery  time,  and  the 
recovery  costs?  How  would  potential  damage  scenarios  affect  military 
effectiveness,  public  confidence  and  safety,  and  national  policy?  How  long 
could  attacks  continue  before  each  of  the  infrastructure  sectors  could  be  made 
secure  or  attackers  could  be  neutralized? 

•  What  must  an  adversary  do  to  prepare  an  attack  that  would  cause  serious 
damage,  e.g.,  what  information  is  required  and  who  has  sufficient 
organizational  capability  to  mount  a  major  attack? 

Some  of  the  work  that  is  beginning  to  address  these  questions  is  surveyed  in  the 
remainder  of  this  chapter.  We  describe  some  of  the  general  concerns  arising  from  the 
growing  use  of  networked  information  systems  and  automatic  control  systems,  and  then 
assess  what  is  known  today  about  the  capabilities  of  potential  attackers  and  actual  attacks 
that  have  been  perpetrated. 

B.  INFRASTRUCTURE  VULNERABILITIES  AND  NETWORKED 
INFORMATION  SYSTEMS 

Dependence  on  critical  infrastructure  sectors  is  not  new.  What  is  new  is  that  the 
sectors  have  become  more  dependent  on  networked  information  systems  for  operations  as 
well  as  business  management.  As  operational  control  systems  and  other  critical  functions 
have  been  automated,  infrastructure  services  have  become  subject  to  the  vulnerabilities  of 
complex  computer  and  communications  networks. 

The  automation  and  centralization  of  core  infrastructure  functions  have  magnified 
the  potential  consequences  of  a  well-informed  information  infrastructure  attack.  Whoever 
controls  the  control  system  controls  the  infrastructure  to  a  frightening  degree.  A 
disgruntled  insider  could  potentially  shut  the  infrastructure  down.  The  leverage  of 
automated  controls  may  also  be  available  to  knowledgeable  outsiders  if  they  can  access 
them  through  remote-access  facilities. 

Moreover,  individual  organizations  are  increasingly  interconnecting  their 
networks,  internally  and  externally,  via  both  dedicated  channels  and  the  Internet.  Market 
forces  and  information  technology  are  driving  companies  to  closer  business  and 
operational  relationships.  Electronic  commerce  is  linking  operators  with  suppliers, 


3-3 


customers,  and  peers.  In  sectors  such  as  energy  and  telecommunications,  deregulation  has 
greatly  increased  the  number  of  organizations  jointly  involved  in  providing  services, 
again  increasing  the  number  of  required  interconnections.  This  raises  the  risk  that 
malicious  outsiders  could  exploit  such  linkages  to  penetrate  critical  internal  systems, 
either  directly  or  via  other  systems  connected  to  critical  systems.  Further,  greater 
mteidependence  raises  the  likelihood  that  disruptions  of  one  network  will  cause 
cascading  disruptions  both  within  and  between  infrastructure  sectors.  Each  network 
potentially  takes  on  the  vulnerabilities  of  all  the  networks  to  which  it  is  connected.? 

While  mission-critical  systems  nearly  always  reside  on  dedicated  networks 

increasingly,  such  networks  are  being  connected  to  other  networks  that  have  external 

connections  via  the  Internet  or  modem.  This  provides  a  vulnerable  point  of  access  that 

potenhally  exposes  mission-critical  systems  to  anonymous  attacks  from  throughout  the 
world. 

In  sum,  the  dependence  of  critical  infrastructure  sectors  on  networked  infonnation 
systems  raises  new  issues  about  their  trustworthiness.*  The  potential  for  accidental  or 
deliberately  induced  failures  and  misuse  of  these  systems  poses  a  risk  for  those  who 

depend  on  the  infrastnrcture  sectors.  Service  may  become  unavailable  or  unreliable,  and 
information  may  be  stolen  or  corrupted. 

C.  VULNERABILITY  OF  AUTOMATED  CONTROL  SYSTEMS 

Critical  infrastructure  sectors  can  be  disrupted  by  the  failure  or  misuse  of  their 
automated  control  systems.*  These  systems  are  complex  networks  of  disparate 
components,  subsystems,  and  communications  links  that  are  substantially  controlled  by 
software.  Systems  may  fail  in  a  discrete  way  if  key  components  fail,  for  example,  if  the 
central  computer  loses  power.  They  may  also  fail  in  a  chain  reaction  if  anomalous  events 
npple  through  tightly  coupled  subsystems,  for  example,  when  a  downed  power  line  leads 


onTiTli0"31  i"terfaCeS  f”  bC  particularly  vulnerable  because  they  tend  to  diffiise  responsibility  and 

TdifUSsio.n  °l  fr^orthiness,  see  National  Research  Council,  Trust  in  Cyberspace 
Committee  on  Information  Systems  Trustworthiness  1990  1*3  on  That  etn/i  ^  a  ^  p  9 

This  section  borrows  heavily  from  Cybernation. 


3-4 


to  a  massive  power  blackout.10  Failures  may  occur  accidentally  or  may  be  triggered  by 
malicious  misuse  or  attack. 

Most  infrastructure  control  networks  are  combinations  of  interconnected  and 
interdependent  networks,  operating  together  to  provide  real-time  control.  Each  system’s 
performance  depends  on  the  unpredictable  interactions  of  its  subsystems  and  the  full 
system’s  tolerance  for  component  and  subsystem  faults.  Even  a  complex  system  can  be 
made  robust,  with  redundancy  in  critical  subsystems  and  provisions  to  contain  cascading 
events.  However,  system  designers  must  make  tradeoffs  among  reliability,  cost,  and 
performance.  Moreover,  infrastructure  control  systems  rarely  reflect  a  single  top-down 
design.  Instead,  they  evolve  over  time  as  customer  requirements  expand,  technologies 
change,  and  software  is  updated.  There  is  a  constant  need  to  engineer  solutions  to 
problems  that  emerge.  The  susceptibility  of  a  network  to  major  disruptions,  then,  can  only 
be  judged  by  carefully  assessing  many  technical  factors.11  Without  careful  study,  it  is  not 
readily  apparent  how  prone  a  system  is  to  failure. 

Cybernation  (pp.  18—19)  provides  a  roadmap  for  the  study  of  information  system 
vulnerabilities,  identifying  the  following  key  system  elements  and  their  vulnerable  points: 

•  Operational  concept  (e.g.,  range  of  computer  control,  scope  of  remote 
commands,  options  for  external  entry,  response  to  failures  and  data  corruption, 
recovery  process) 

•  Architecture  and  information  flows  (subsystem  interactions,  tightness  of 
subsystem  coupling,  system  tolerance  to  degraded  components,  failure  modes, 
provisions  to  contain  cascading  effects,  redundancy,  interconnection  with 
other  networks) 

•  Network  components  (operating  limitations  or  design  flaws  in  critical 
components  such  as  supervisory  control  and  data  acquisition  (SCADA) 
systems,  gateways,  firewalls,  routers,  servers) 

•  Signal  protocols  and  transmission  methods  (encryption  capability  and 
susceptibility  to  monitoring,  interception,  interference,  spoofing,  or  jamming) 

•  Human  factors  (human  judgment  in  the  loop,  carelessness,  inattention, 
procedural  error,  well  intentioned  workarounds,  personnel  reliability) 


10  In  July  1996,  for  example,  a  transmission  line  in  Oregon  sagged  into  trees  and  short-circuited, 
overloading  and  shutting  down  other  lines,  eventually  including  the  main  links  to  California.  Safety 
systems  shut  down  generators  that  were  overwhelmed  by  the  resulting  excess  power  demands. 
Altogether,  15  states  were  affected.  This  example  is  recounted  in  Cybernation,  12. 

11  See  Cybernation,  12. 


3-5 


•  Existing  security  environment  (security  of  password  files,  access  to 
supervisory  features,  integrity  of  access  logs,  ability  of  administrator  to  detect 
intrusions,  implementation  of  security  tools) 

One  of  the  more  difficult  engineering  challenges  is  ensuring  the  reliability  of  the 
software  for  infrastructure  control  systems.12  Validating  such  complex  software  requires 
exhaustive  testing,  which  can  be  prohibitively  expensive  and  may  not  be  technically 
feasible.  Further,  increasing  reliance  on  outsourced  software  development  and 
commercial-off-the-shelf  products  can  leave  infrastructure  operators  with  insufficient 
information  to  understand  or  validate  critical  control  software.  Software  updates  may 
introduce  logical  and  coding  errors,  undo  previous  corrections,  and  alter  timing. 

Malicious  code  may  be  deliberately  and  surreptitiously  included  during  software 
development  or  modification. 

D.  POTENTIAL  THREATS 

The  government  is  concerned  about  the  national  security  implications  of  increased 
infrastructure  risk.13  Most  seriously,  foreign  governments  may  execute  organized  attacks 
on  our  critical  infrastructure  sectors  by  exploiting  their  cyber  vulnerabilities.  George 
Tenet,  Director  of  Central  Intelligence,  has  testified: 

We  know  with  specificity  of  several  nations  that  are  working  on 
developing  an  information  warfare  capability....  These  countries  recognize 
that  cyber  attacks— possibly  launched  from  outside  the  U.S. — against 
civilian  computer  systems  in  the  U.S.  represent  the  kind  of  asymmetric 
option  they  will  need.  ...  (T)he  battle-space  of  the  information  age  will 
surely  extend  to  our  domestic  infrastructure.  Our  electric  power  grids  and 
our  telecommunications  networks  will  be  targets  of  the  first  order. 14 


12 

13 


14 


Ibid.,  11-12. 

The  PDD-63  white  paper  notes  that  “non-traditional  attacks  on  our  infrastructure  and  information 
systems  may  be  capable  of  significantly  harming  both  our  military  power  and  our  economy.” 

Tenet  notes  that  several  countries  have  government-sponsored  offensive  and  defensive  information 
warfare  programs  and  that  information  warfare  is  included  in  their  military  doctrines  and  war  college 

r?TUi  t  t*!r  b°th  battIefieId  and  civilian  ^as.  See  George  J.  Tenet,  “Testimony  by  Director  of 
?,e°.rge  ,J'  Jenet  before  ^  Senate  Committee  on  Government  Affairs,”  June  24, 
2  3.  Two  additional  documents  are  also  of  interest:  Qiao  Liang  and  Wang  Xiangsui 

W  Hul Tn  rZfare  <;Beijing:, PL^  Literature  and  Arts  Publishing  House,  Februaiy  1999);  Andrew 
W.  Hull,  The  Chinese  Approach  to  Information  Warfare,  IDA  Document  D-2432,  Institute  for  Defense 
Analyses,  Alexandria,  VA.  Another  experienced  observer,  however,  notes  that  the  planning  of  cyber 

3-6 


Tenet  similarly  notes  a  serious  threat  from  sub-national  groups: 

Terrorists,  while  unlikely  to  mount  an  attack  on  the  same  scale  as  a  nation, 
can  still  do  considerable  harm. 15 

Other  potential  threats  include  attacks  by  organized  crime  groups,  malicious 
hackers,  and  disgruntled  insiders.  The  government’s  concern  over  these  latter  threats  may 
be  more  a  matter  of  law  enforcement  or  economic  security  than  of  national  security  per 
se. 

The  information  warfare  activities  of  other  governments  were  also  noted  by  the 
deputy  commander  of  DOD’s  Joint  Task  Force  on  Computer  Network  Defense: 

The  odds  of  the  U  S.  being  attacked  on  line  by  a  foreign  nation  state  in 
some  kind  of  cyber  war  in  the  near  future  are  probably  pretty  low.  But  the 
odds  of  foreign  nation  states  wanting  to  develop  capabilities  to  help  them 
if  and  when  we  are  adversaries  are  probably  pretty  high.  We  need  to  have 
the  same  capability  or  better.16 

Cybernation  (pp.  15-16)  discusses  three  categories  of  potential  attackers: 

•  Computer  hackers  motivated  by  technical  challenge,  mischief  making,  or  theft 
will  perpetrate  small-scale  intrusions  resulting  in  altered  or  destroyed  data  or 
locally  degraded  operations,  with  the  potential  to  trigger  cascading  failures 
inadvertently.17 

•  Anarchists  motivated  by  malice  or  criminal  purpose  will  deliberately  seek  to 
damage  infrastructure  sectors  by  attacking  critical  components  or  corrupting 
software  and  data.  They  will  not  necessarily  conduct  a  careful  assessment  of 
the  precise  effects  of  their  attacks  but  could  easily  trigger  major  disruptions. 

•  Coordinated  cyber  attacks  by  more  sophisticated  attackers  motivated  by 
strategic  political  goals  will  be  organized  carefully  to  yield  specific  outcomes. 
Techniques  will  include  hacking,  planting  Trojan  horses  or  logic  bombs  in 
operating  system  software,  and  co-opting  insiders  with  specialized  knowledge. 


attacks  and  their  integration  into  military  doctrine  are  in  their  infancy.  See  Lukasik,  “Protecting 
Information-Dependent  Infrastructures,”  8. 

15  See  Tenet,  “Testimony  by  Director  of  Central  Intelligence,”  3.  Note  also  that  even  lower-scale  attacks 
may  undermine  public  confidence  in  the  informationinfrastructure  and  weaken  support  for  the 
government. 

16  This  comment  by  Navy  Captain  Bob  West  was  reported  in  Frank  Wolfe,  “Task  Force  Monitoring 
Cyber  Intrusions  around  the  Clock,”  Defense  Daily,  July  27,  1999. 

17  Hackers  also  use  tools  such  as  trinOO  and  Tribe  Flood  Network  (TFN)  to  launch  massive  denial  of 
service  attacks  on  particular  networks  by  causing  hundreds  of  compromised  computers  to  send  certain 
messages  to  the  intended  victim  via  the  Internet. 


3-7 


in  any  of  these  categories.  d  °f  dama*e  could  be  achieved  by  attacked 

E'  ~BODYOFE— °~^S 

mere  is  ample  evidence  tiw  , 

information  networks  are  beset  by  nahiral  pheno  ^  inftaStrUC,Ure  -suit  when 

There  -  aianning  statistics  on  ^^  7^“  M"*  «*»  — . 
about  hackers  penetrating  internal  control  systemT  Th  ^  ““  3  nUmber  °f  anecdote! 
governments  and  sub-national  groups  probinf  “  a‘S°  a”ecdotei  ab»“'  foreign 

7  not  be“  instances  of  hostile  attacks”^  ® ^  netW°rkS-  However’ ftere 
infrastructure  sectors  in  this  country.  18  *v«  dis™P«ons  of  critical 

~;::;rr of  — <»«*«.  rf 

-  biorihridge,  CaZ^Zl  sTT  ”*«  *  a 

telephone  service  when  two  major  _  /*fc*»l‘'«iofk.Hita, 

equipment  and  human  failure  combined  h  aC'ltleS  fm,ed-  In  September  1991 
nafflc  for  New  Vorit  City.  A  Z  ^  ‘  f  7  “  °f  A  W’* 
workers  ignoied  alarms  for  S  hoJ Z u  T  ^  *I*W  *• 

communications  with  the  New  York  air  trrff  sb“‘do'v”  affected  90  percent  of 
flights  and  inconveniencing  air  travelers  for  sT  f°rCing  lhe  ““oellation  of 

faulty  software.  In  August  1999  problems  d  •  h°“S'  ^  disrup,ions  are  caused  by 
disrupted  its  high-speed  ftame-rolay  data  servfceforTo^  7^  “  MCI  W°rld«»" 
of  Trade  to  shut  down  its  e, ectronic  <rad,«  ’  **  *?*«  ^  ^go  Board 
service  providers  from  serving  m  of  their  ZZZ.™  mVmUag  *  nUmb“  of  *»■« 


19 


20 


basiness  day.  &  lh®dem?  Salt  "frSan,C“re’  e”d“*S  rauist7sl^°P0,i,an  ”« 

NS1EP  -m3 

rsch  co“”'ii' »-  *  ^ 

■bein^M„n  7a””^"i'0'Au^,«.™<IAugmtl7  ,  999  rae„  M 

-  upg.de  provided  by  Lucent 

3-8 


A  picture  of  recent  intentional  cyber  intrusions  in  the  United  States  is  provided  by 
the  Computer  Security  Institute’s  1999  survey  of  computer  crime  and  security.21  Some 
62  percent  of  the  responding  private  and  government  organizations  experienced 
unauthorized  use  of  their  computer  systems  during  the  previous  year,  with  9  percent  being 
aware  of  more  than  10  incidents.  Incidents  originated  outside  for  33  percent  and  inside  for 
37  percent  of  the  organizations.  Disgruntled  employees  and  independent  hackers  were 
most  frequently  cited  as  likely  sources,  although  foreign  governments  too  were  cited  by 
17  percent  of  the  respondents.  The  most  frequently  reported  types  of  incidents  were 
insider  abuse  of  network  access  and  contamination  by  viruses.  Other  incidents  included 
denial  of  service,  system  penetration  by  outsiders,  sabotage  of  data  or  networks,  theft  of 
proprietary  information,  and  fraud.  Resulting  financial  losses  to  the  respondents  were 
estimated  to  total  at  least  $124  million,  primarily  due  to  theft  and  fraud.  Overall,  the 
survey  confirms  that  vulnerabilities  exist  and  are  being  exploited  frequently. 

There  are  also  a  number  of  anecdotes  describing  deliberate  attacks  against  the 
computer  networks  that  control  critical  infrastructure  sectors.  In  1997,  for  example,  a 
hacker  reportedly  shut  down  a  91 1  emergency  calling  system  in  Florida  for  an  hour,  and 
another  hacker  disabled  vital  services  to  a  Federal  Aviation  Administration  (FAA)  control 
tower  in  Worcester,  Massachusetts.22  In  another  case,  a  U.S.  hacker  gained  access  to  the 
control  system  for  a  California  dam  and  reportedly  could  have  released  a  flood  of  water, 
causing  considerable  loss  of  life.  Fortunately,  that  was  not  the  hacker’s  intent.  A  1997 
DOD  military  exercise  called  Eligible  Receiver  simulated  attacks  on  electric  power  and 
telecommunications  infrastructure  sectors  via  the  Internet.23  The  scripted  infrastructure 


MCI  Worldcom  reportedly  tried  for  several  days  to  fix  the  problem  with  the  network  online,  but  finally 
was  forced  to  shut  down  the  system  and  reload  an  older  software  version. 

21  The  Computer  Intrusion  Squad  at  the  FBI’s  San  Francisco  office  participated  in  the  survey.  The  1999 
survey  drew  521  responses  from  a  broad  spectrum  of  private  and  governmental  organizations, 
including  104  from  the  financial  sector.  The  median  organization  employed  from  1,000  to  5,000  people 
and  had  a  gross  income  between  $500  million  and  $1  billion  per  year.  The  survey  results  are  available 
at  http://www.gocsi.com. 

22  These  examples  are  recounted  in  National  Research  Council,  Trust  in  Cyberspace,  18. 

23  Eligible  Receiver  is  discussed  in  President’s  Commission  on  Critical  Infrastructure  Protection,  Critical 
Foundations:  Protecting  America’s  Infrastructures,  1997,  8.  For  a  skeptical  perspective  on  Eligible 
Receiver,  see  George  Smith,  “An  Electronic  Pearl  Harbor?  Not  Likely,”  Issues  in  Science  and 
Technology  Online,  http://205. 1 30.85.236/issues/l 5. 1/smith.html.  Fall  1998,  9.  Smith  notes  that  the 
significance  of  the  exercise  cannot  be  determined  because  the  government  has  not  released  enough 
information  on  its  methodology. 


3-9 


attacks,  together  with  hacker  attacks  on  DOD  computers,  were  judged  sufficient  to 
disrupt  operations  at  selected  military  bases  and  thereby  degrade  DOD’s  ability  to  deploy 
and  sustain  military  forces.  J  p  y 

tin  •  IT  ‘S  liWe  rdiable  Ulf0rma,ion  on  c3*“  attacks  by  foreign  governments  on 
.  .  infrastructure  sectors.  While  a  number  of  attacks  on  DOD  computers  have  been 

reported,  these  incidents  generally  have  been  peipetrated  by  independent  hackers  24  At 
least  initially,  the  so-called  Moonlight  Maze  episode  appeared  to  be  an  exception.* 
eguuung  in  March  1999,  a  number  of  news  publications  reported  that  DOD  computers 
were  being  probed  and  information  was  being  stolen  by  hackers  evidently  originating  in 

•  T  .  7rr;th“*  ™S  ”°  0ffidal  conf,rmati°”  the  Russian  government  was 
involved  and  the  Pentagon  denied  that  any  secrets  were  compromised* 

The  preceding  discussion  suggests  where  research  and  related  actions,  possibly 
guided  by  a  new  national-level  information  protection  organization,  are  needed  to 
“stan  an  address  the  vulnerabilities  created  by  the  growing  use  of  networked 
ornia  ion  systems  to  manage  operations  in  critical  infrastructure  sectors  The  next 
chapter  explores  some  vulnerability  issues  specific  to  each  of  several  sectors. 


CO,mCil'  T'm  "  Committee  on 

“  on  Moonlight 

http://vvww.soci.niu.edu/--crypt/other/mmaze  html  tHp  hy  °*u  *e  Clypt  Newsletter  at 
M  “lv°h'ement  of  Russian  government  organizations  are  attrfruted  to  ano^mmis  °f 

hacking!1  VVeb^te'uMfte'cSchens'usr?18^  *  kijld  of  cyber  propaganda  war  with  Chechnya, 
Gohle  %.,.!■ T-Sjlr L^ec]^ns.  r 10  Russian  censomhip  of  war  news.  See  Pani 

Eurepe/Radio  Liberty  (RFEdtL)  NewslSfSctotr  ***>  5» 

computers  at  NATO  headquarters  were  snammeri  hv  hJvl  ■  cT  y’ d  8  *  Kosovo  conflict, 
overwhelming  them  with  information  There  is  n/m  r  ?  Serbia  “,an  attemPtto  disrupt  them  by 
sponsored  by  the  Serbian  government  See  Frank  thatAthl.s  sophisticated  attack  was 

Web  Sites,”  Defense  Daily  } ^“999  ’  g°"  Serb  Attacks  on  D0D 


3-10 


Chapter  4 

VULNERABILITIES  IN  KEY  SECTORS 


The  critical  infrastructure  sectors  rely  on  networked  information  systems  that  are 
built  in  large  part  of  common  elements,  but  specialized,  to  a  considerable  extent,  to  meet 
the  needs  of  each  sector.  The  research  and  development  necessary  to  understand  and 
address  infrastructure  vulnerabilities  must,  therefore,  consider  both  the  general 
vulnerabilities  described  in  the  preceding  chapter  and  the  vulnerabilities  arising  from 
sector-  and  even  company-specific  applications.  Thus,  as  stressed  earlier,  industry  must 
be  closely  involved  in  formulating  and  executing  R&D  in  this  area.  This  chapter 
illustrates  these  points  by  describing  some  of  the  specific  issues  associated  with  several 
important  sectors. 

We  summarize  here  the  findings  of  recent  studies  on  the  Internet, 
telecommunications,  electric  power,  transportation,  and  financial  services  sectors.1  These 
studies  describe  the  growing  dependence  of  these  sectors  on  networked  information 
systems  and  reveal  ways  that  potential  vulnerabilities  may  depend  on  how  systems  are 
used  within  a  sector.  How  vulnerable  these  sectors  actually  are  remains  uncertain, 
however,  because  the  published  assessments  of  vulnerabilities  typically  do  not  have 
access  to  detailed  system  designs  and  security  methods.  As  discussed  in  chapter  3,  much 
more  study  is  needed. 

A.  INTERNET  SERVICE 

The  Internet  is  an  increasingly  important  communications  mode  but  is  generally 
viewed  as  providing  inadequate  reliability  and  security.2  Moreover,  interconnection  with 


1  The  selection  of  these  sectors  for  this  chapter  was  based  on  the  availability  of  suitable  published 
studies. 

2  See  President’s  National  Security  Telecommunications  Advisory  Committee,  “Internet  Report:  An 
Examination  of  the  NS/EP  Implications  of  Internet  Technologies,”  Network  Group,  June  1999,  15. 
(Hereinafter  cited  as  NSTAC-Intemet.) 


4-1 


In  its  study,  the  PCCIP  determined  that  the  public  telecommunications  network 
was  potentially  vulnerable  to  a  major  attack: 

With  network  elements  increasingly  interconnected  and  reliant  on  each 
other,  cyber  attacks  simultaneously  targeting  multiple  network  functions 
would  be  highly  difficult  to  defend  against,  particularly  if  combined  with 
selected  physical  destruction  of  key  facilities.  The  possibility  that  such 
disruption  could  cascade  across  a  substantial  part  of  the  public 
telecommunications  network  cannot  be  ruled  out.. .  .No  one  knows  how  the 
network  would  react  under  coordinated  attack.12 

The  PCCIP  noted  that  more  focused  attacks,  for  example  on  Wall  Street  or  a  port 
of  military  embarkation,  are  even  more  feasible. 

1.  Existing  Vulnerabilities 

Telecommunications  networks  are  composed  of  a  number  of  essential  elements: 

•  Transmission  media  move  signals  from  point  to  point.  Multiplexing 
equipment  and  other  automated  devices  are  used  to  configure  and  sustain 
communications  paths  through  these  media. 

•  Switches  and  routers  direct  calls  and  data  along  the  communications  paths. 
They  are  both  software-controlled  devices. 

•  Common  channel  signaling  (CCS)  systems  are  data  networks  used  to  set  up 
calls  on  switched-voice  networks,  collect  billing  information,  and  enable 
special  services. 

•  Network  management  systems  control,  configure,  and  maintain  other  network 
elements.  These  processes  are  highly  centralized  and  automated,  so  that 
manual  network  management  is  now  considered  to  be  virtually  impossible.13 

Telecommunications  providers  have  relied  heavily  on  access  controls  for  security. 
However,  anyone  who  can  successfully  connect  to  the  advanced  operations  channels  has 
“virtually  unlimited  access  to  everything  and  everyone  connected  to  them.”14  Potential 
attackers  could  affect  the  operation  or  configuration  of  network  elements,  for  example,  by 
altering  or  blocking  network  management  messages  on  the  CCS  system.  Attackers  could 


1 0 

See  President’s  Commission  on  Critical  Infrastructure  Protection  (PCCIP),  Critical  Foundations: 
Protecting  America 's  Infrastructures,  1 997,  A-7. 

13  Ibid.,  A-6. 

14  See  Network  Reliability  and  Interoperability  Council,  NRJC  Network  Interoperability:  The  Key  to 
Competition,  Final  Report,  July  15,  1997,  1 10. 


4-6 


disrupt  traffic  or  access,  modify,  disclose,  or  destroy  information.  An  attacker  could  use 
remote  maintenance  and  test  channels  to  shut  down  particular  pieces  of  equipment. 15 

The  risk  of  attack  has  increased  in  recent  years  because  the  level  of  resources 
needed  to  mount  an  attack  has  fallen.  Intruders  and  their  tools  have  become  more 
sophisticated.  Techniques,  tutorials,  and  software-based  tools  for  “script  kiddies”  are 
readily  available  on  the  World  Wide  Web.  More  than  a  dozen  methods  of  intrusion  at  the 
system  root  level  have  been  identified.  Technical  descriptions  are  “generally  accurate 
instructions  for  exploiting  the  vulnerabilities  of  the  [public  switched  network]  and 
network  elements,  including  digital  switches.”16 

Substantial  growth  in  interconnections  among  separately  owned  networks  is 
increasing  their  vulnerability.  The  Telecommunications  Act  of  1996  requires  local 
exchange  carriers  to  grant  nondiscriminatoiy  interconnection  and  unbundled  network 
access  to  any  requesting  telecommunications  carrier.17  The  intent  is  to  promote 
competition  by  enabling  new  entrants  to  offer  seamless  and  transparent  services  across 
networks.  One  unintended  result,  however,  is  to  create  an  open  environment  without  the 
requisite  security  standards  and  solutions,  creating,  in  turn,  “enormous  holes  in  existing 
security  mechanisms  and  access  controls.”18  The  number  of  relatively  unknown  people 
and  processes  with  privileged  access  is  increasing.  While  the  public  telecommunications 
network  has  a  history  of  security  exposure,  the  vulnerability  raised  by  interconnections 
“over  the  last  decade  is  without  precedent.”19 

What  is  particularly  worrisome  is  that  interconnection  is  unbundled.  That  is, 
carriers  are  granted  access  to  each  other’s  CCS  systems  and  certain  management 
networks.  This  is  much  more  intimate  than  simply  handing  off  calls  for  completion  on 
another  network.  Other  carriers  may  have  access  to  systems  used  to  operate,  administer, 
maintain,  and  provision  the  network.  Given  the  current  approach  to  security, 
interconnection  requires  a  high  degree  of  trust.  If  an  attacker  can  penetrate  one  carrier’s 


15  The  PCCIP  cited  a  cyber  attack  on  a  SONET  ring.  The  attack  demonstrated  the  potential  for  remote 
attacks  causing  widespread  outages.  See  PCCIP,  Critical  Foundations,  A-8. 

16  See  NRIC  Network  Interoperability,  110. 

17  Actually,  the  FCC  initiated  the  move  to  mandatory  interconnections  in  May  1986  when  it  introduced 
the  Open  Networic  Architecture  (ONA).  See  Karen  Olsen  and  John  Tebbutt,  “The  Impact  of  the  FCC’s 
Open  Network  Architecture  on  NS/NP  Telecommunications  Security,”  NIST  Special  Publication 
800-11,  August  1995, 2. 

18  Set  NRIC  Network  Interoperability,  108. 

19  Ibid. 

4-7 


communications,  collects  data,  initiates  alarms,  and  transmits  application-directed  control 
commands  to  field  equipment.  The  SCADA  host  computer  may  draw  information  from 
30,000  or  more  data  collection  points.  The  EMS  also  includes  an  automatic  generation 
control  system  that  manages  power  generation,  for  example,  originating  control  signals 
that  instruct  generating  units  to  adjust  output.  The  ongoing  trend  is  for  utilities  to  move 
toward  “standard”  vendor  products  using  distributed  client/server  technology  but  there  are 
also  legacy  mainframe  systems. 

2.  Control  Center  Vulnerabilities 

The  control  system  is  vulnerable  to  attack  through  both  the  control  center  and  the 
substations.  It  is  also  dependent  on  communications  systems  that  transmit  data  and 
control  signals. 

For  a  number  of  reasons,  the  control  center  is  increasingly  interconnected  with 
other  networks  and  outsiders. 

•  Utilities  frequently  interconnect  their  corporate  information  system  with  their 
control  centers  in  order  to  access  control  system  data.  Firewalls  or  dial-back 
modems  may  be  used  for  security. 

•  There  are  also  operational  links  among  utilities’  control  centers  to  implement 
power  sharing  agreements,  e.g.,  to  balance  loads  or  schedule  transmissions. 
These  links  have  typically  been  one-way,  with  proprietary  protocols  and 
application-level  controls,  and  have  been  considered  difficult  targets. 
However,  a  trend  toward  using  standard  protocols  will  enlarge  the  pool  of 
knowledgeable  potential  attackers.  Links  to  other  utilities  are  increasing  as  a 
result  of  deregulation,  which  is  placing  generation,  transmission,  and 
distribution  functions  in  separate  companies.  These  links,  too,  are  driving  a 
movement  toward  standard,  open  protocols.  Mergers  among  utilities  are  also 
increasing  operational  links  between  formerly  separate  companies. 

•  Utilities  more  and  more  use  commercially  developed  software  and  outsource 
its  customization  and  maintenance.  As  a  result,  outside  manufacturers  and 
integrators  are  being  granted  access  to  control  centers  through  dial-in  ports  for 
the  purpose  of  updating  software  and  performing  other  maintenance. 

•  Operations  and  information  systems  personnel  at  many  utilities  can  access 
systems  remotely  for  after-hours  troubleshooting,  system  administration,  and 
maintenance. 

The  potential  harm  done  by  intruders  depends  importantly  on  how  knowledgeable 
they  are.  In  general,  electronic  intruders  who  gain  access  to  the  control  center  can 


4-10 


potentially  crash  the  EMS.  However,  most  utilities  can  revert  to  manual  coordination  if 
all  control  center  functions  are  lost.  Intruders  who  are  more  knowledgeable  may  also  be 
able  to  corrupt  billing  databases  or  issue  false  commands  (e.g.,  open  and  close  relays,  shut 
down  lines,  and  perhaps  affect  generation).  Extremely  knowledgeable  intruders  could 
manipulate  the  flow  of  data  to  the  control  center,  inducing  responses  to  spurious 
indications,  but  very  few  people  have  the  requisite  technical  skills  and  utility-specific 
knowledge  for  this.24 

3.  Other  Vulnerabilities 

Other  vulnerabilities  are  specific  to  the  substations  and  field  equipment.  Many 
field  devices,  for  example,  breakers,  switches,  and  relays,  are  now  remotely 
programmable.  Utility  engineers  can  dial  in  to  the  devices  and  change  the  settings.  An 
intruder  could  use  this  facility  either  to  set  a  breaker  too  high  and  expose  protected 
equipment  to  physical  damage  or  to  set  it  too  low  and  cause  the  system  to  shut  down  for 
self-protection.  The  intruder  would  have  to  identify  the  correct  telephone  line  or  port  but 
would  not  necessarily  encounter  additional  access  controls.25  Also,  RTUs  at  the 
substations  often  have  maintenance  ports  with  dial-up  access  through  which  an  intruder 
could  issue  commands  or  report  spurious  data  back  to  the  control  center. 

The  communications  links  underlying  the  control  system  are  also  a  source  of 
vulnerability.  Perhaps  two-thirds  of  this  capacity  is  typically  owned  by  the  utility,  mainly 
microwave  and  fiber-optic  media.26  These  lines  are  not  immune  to  many  of  the 
vulnerabilities  of  public  networks.  For  example,  microwave  transmissions  can  easily  be 
jammed  using  devices  described  on  various  Internet  Web  sites.  Further,  utilities 
sometimes  sell  communications  capacity  to,  and  share  rights  of  way  with,  public 
networks.  When  utility  control  systems  do  utilize  public  networks,  it  is  typically  for 
redundancy,  for  “last  mile”  connectivity,  to  access  geographically  remote  regions,  or  to 
interconnect  with  other  utilities.  In  case  the  communications  lines  go  down,  a  utility  can 
dispatch  operatives  with  cellular  phones  or  mobile  radios  to  report  back  information. 
However,  it  would  be  difficult  and  dangerous  to  try  to  restore  power  in  this  situation,  for 
example,  after  an  attack  on  the  control  system  itself. 


24  Ibid.,  14.  Disgruntled  employees,  current  and  past,  may  have  the  knowledge  to  cause  serious  damage. 

25  Ibid. 

26  Ibid.,  15. 

4-11 


In  conjunction  with  deregulation,  utilities  are  now  required  to  post  real-time 
transmission  capacity  and  price  information  on  their  open  access  same-time  information 
system  (OASIS)  Web  site.  While  utilities  typically  secure  this  link  between  the  control 
system  and  the  Internet,  it  represents  another  point  of  vulnerability  to  outside  access. 

D.  TRANSPORTATION 

The  transportation  sector  is  increasingly  dependent  on  networked  information 
systems  for  both  operational  and  business  purposes.  Air  transport  is  certainly  the  most 
dependent  on  automated  information  systems  while  all  modes  depend  heavily  on 
communications.  However,  the  principal  security  issues  still  concern  physical  threats. 
Further,  the  great  diversity  and  redundancy  within  and  among  transportation  modes  limits 
the  potential  for  nationwide  disruption  due  to  natural,  accidental,  and  deliberate  incidents. 
Thus,  the  NSTAC  concluded: 

Although  a  nationwide  disruption  of  the  transportation  infrastructure  is 
unlikely,  even  a  local  or  regional  disruption  could  have  a  significant 
impact.  No  single  system  or  critical  point  of  failure  is  apparent  in  the 
transportation  infrastructure  that  could  cause  disruption  on  a  national  scale 
if  destroyed  or  degraded.27 

Passenger  transportation,  especially  by  air,  has  nevertheless  proven  to  be  an 
attractive  terrorist  target  due  to  the  high  value  placed  on  human  life. 

Air  traffic  control  operations  clearly  depend  on  networked  information  systems 
and  communications  links  with  aircraft.  This  dependence  will  grow  even  stronger  in  the 
future.  The  Federal  Aviation  Administration  (FAA),  for  example,  is  developing  a  new 
nationwide  navigation  and  flight  control  system,  which  will  be  tested  as  early  as  next 
year.  This  sophisticated  system,  with  air  and  ground  networks  linked  to  on-board 
computers,  will  give  pilots  greater  en-route  flexibility  yet  permit  closer  positioning  of 
aircraft  in  busy  airspace.  The  system  will  utilize  the  Global  Positioning  Satellite  (GPS) 
system  for  location  information  and  for  an  enhanced  ground  proximity  warning  system. 


27  fe®  President’s  National  Security  Telecommunications  Advisory  Committee,  “Transportation 

InfrastTuct“re  Assessment  Report,”  June  1999,  58.  (Hereinafter  cited  as 

NSTAC-Transportation.) 


4-12 


This  dependency  is  a  source  of  concern  since  questions  have  been  raised  about  the  GPS’s 
susceptibility  to  jamming,  general  unreliability,  and  lack  of  redundancy.28 

Railroads  depend  on  centralized  networks  for  traffic  control.  SCADAs  obtain 
train  location  information  from  sensors  on  or  near  tracks  and  transmit  instructions  to 
track-side  signaling  devices.  This  has  been  a  largely  manual  effort,  but  disruption  of 
SCADAs  or  control  centers  could  potentially  disrupt  traffic  over  wide  areas.29 
Automation  of  traffic  control  has  been  increasing,  with  control  center  computers  now 
controlling  track  switches  and  signals  for  25  to  30  percent  of  railroad  freight  traffic.30 
Rail  transit  systems  in  major  metropolitan  areas,  e.g.,  New  York  City  and  San  Francisco, 
have  similarly  been  modernizing  their  traffic  control  systems. 

Information  technology  is  also  being  focused  on  improving  service  for  individual 
shipments.  Automated  systems  are  being  used  to  track  shipments,  sort  them  at  transit 
points,  and  improve  in-transit  routing.  Coupled  with  systems  to  track  trucks,  rail  cars,  and 
containers,  shipment  tracking  enables  more  efficient  use  of  resources  and  better  customer 
service.  For  example,  dispatchers  can  reroute  trucks  to  optimize  shipment  pickup  and 
delivery.  Disruption  of  these  automated  systems  could  disrupt  service  at  key  nodes  or  lead 
to  lower  efficiency  and  greater  congestion. 

Transportation  companies  are  increasingly  interdependent  in  providing  service  for 
a  particular  shipment.  Inter-modal  alliances,  for  example  between  trucking  and  railroad 
companies,  are  becoming  more  important  in  the  effort  to  provide  end-to-end  customer 
service.  This  requires  more  companies  to  exchange  information  on  passengers,  cargo,  and 
operations.  Some  companies,  such  as  Federal  Express  and  United  Parcel  Service,  provide 
end-to-end  service  using  their  own  inter-modal  facilities  and  dedicated  high-speed  data 
networks. 

Transportation  companies  in  all  modes  are  moving  from  closed  proprietary 
networks  to  open,  interconnected  networks  to  provide  value-added  information  for  their 
customers  and  suppliers.  Increasingly,  customers  can  make  reservations  or  track 
shipments  electronically,  often  via  the  Internet.  This  information,  together  with  quick, 


28  Evidently,  the  threat  that  hackers  could  alter  the  trajectory  of  the  satellites  has  proven  exaggerated.  See 
NSTAC-Transportation,  54. 

29  Incompatible  computer  systems  were  blamed  for  months  of  severe  congestion  when  Union  Pacific  and 
Southern  Pacific  Railroads  merged.  See  John  Dodge,  “Can  IT  sink  a  merger?  We’re  bound  to  find  out,” 
PC  Week,  June  22,  1998. 

30  See  NSTAC-Transportation,  21. 

4-13 


reliable,  and  agile  service,  is  essential  for  businesses  that  rely  on  just-in-time  inventories 
and  advanced  supply  chain  management  methods. 

Automated  systems  are  also  being  used  to  facilitate  compliance  with  regulatory 
requirements.  For  example  truckers  can  be  monitored  for  compliance  with  highway  safety 
procedures.  Automated  systems  are  in  place  for  clearing  customs  and  satisfying  roadside 
weigh  station  requirements.  Disruption  of  these  systems  could  lead  to  local  congestion. 

Aircraft  and  a  substantial  portion  of  rail  freight  operations  depend  on  automated 
traffic  control  systems.  The  efficiency  and  quality  of  service  for  all  modes  depends  on 
automated  systems  that  track  shipments  and  equipment.  At  the  same  time,  competitive 
pressures  and  new  business  practices  are  leading  to  more  networked  interconnections 
between  transportation  companies  and  their  customers,  suppliers,  and  peers.  Operations 
and  efficiency  are  thus  vulnerable  to  attacks  on  automated  information  systems  Future 
trends  promise  more  dependence  on  information  technology  and,  perhaps,  greater 
physical  concentration  of  transportation  resources  at  key  inter-modal  transit  points. 

E.  FINANCIAL  SERVICES 

The  financial  services  sector  is  almost  completely  dependent  on  networked 
information  systems  to  process  a  huge  volume  of  transactions  and  keep  track  of  the  assets 
of  millions  of  customers.31  At  the  same  time,  the  sector  is  exceptionally  focused  on 
managing  its  security  risks.  This  emphasis  stems  from  the  need  to  maintain  customer 
trust,  the  potential  for  business  losses  due  to  disruptions,  and  the  concerns  of  financial 
regulators.  In  studying  the  sector,  the  NSTAC  determined  that  financial  institutions  have 
implemented  extensive  layers  of  technical  and  procedural  controls  that  put  significant 
cyber  attacks  outside  the  scope  of  all  but  a  long-term  concerted  nation-state  effort.32 

Many  of  the  institutions  interviewed  for  the  NSTAC  study  “voiced  the  concern  that  they 
could  not  manage  against  cyber  threats  on  the  scale  of  an  ‘electronic  Pearl  Harbor’ 


31 


32 


The  financial  services  example  is  based  heavily  on  President’s  National  Security  Telecommunications 
Advisory  Committee,  “Financial  Services  Risk  Assessment  Report,”  Infrastructure  Assurance  Task 
Force,  December  1997.  (Hereinafter  cited  as  NSTAC-Finance.)  That  report  defines  the  sector  to 
mclude  banks  and  other  depository  institutions,  investment-related  companies,  industry  utilities,  third- 
party  processors,  and  other  services.  It  does  not  consider  insurance,  consumer  finance,  or  mortgage 
companies  since  disruption  of  their  networks  would  not  have  an  immediate  national  impact 


The  NSTAC  study  notes  that  misleading  media  reports  have  generated  a  false  popular  impression  oJ 
vulnerability  to  cyber  attack.  The  sector’s  penchant  for  withholding  detailed  information  has 
contributed  to  this  view.  See  NSTAC-Finance,  52,  58. 


4-14 


because  they  had  no  credible  evidence  that  these  threats  existed.  33  Further,  they  viewed 
the  greatest  threat  to  financial  infrastructures  to  be  physical  destruction,  not  cyber  attack. 

The  dependence  of  financial  services  on  networked  information  systems  is 
nevertheless  breathtaking.  In  the  last  decade  or  so,  automation  of  payment  and  market 
systems  has  enabled  an  enormous  increase  in  the  volume  and  the  velocity  of  financial 
transactions.  Electronic  services  now  include  direct  deposits  of  salaries  and  other 
payments,  automated  teller  machines,  verification  of  debit  and  credit  cards,  electronic 
funds  transfer,  and  online  securities  transactions.  Competition  in  the  sector  is  intense, 
driving  the  introduction  of  new  services  and  challenging  security  capabilities. 

1.  Core  Payments  Infrastructure 

The  electronic  payments,  clearing,  and  settlement  institutions  are  among  the  most 
critical  segments  of  the  financial  infrastructure.34  While  cash  and  checks  still  dominate 
transactions  volume,  virtually  all  large-value  payments  and  exchanges  are  made 
electronically.  Interbank  payments  depend  on  the  Fednet,  a  data  network  that 
interconnects  the  Federal  Reserve  Banks.  Some  11,000  institutions  are  connected  to  the 
Fednet  by  dedicated  or  dial-up  lines.  The  Fednet  enables  the  Fedwire  service  for  real-time 
funds  transfers  among  banks  and  other  depository  institutions.  Fednet  is  also  used  for 
electronic  “book-entry”  transfers  of  government  securities  and  has  largely  enabled  the 
Federal  Reserve  to  eliminate  paper  government  securities.  Wire  transfers  are  often 
considered  to  be  vulnerable  since  they  are  interactive  and  involve  large  sums  of  money. 
However,  protective  measures  include  the  use  of  highly  structured  transfer  messages, 
strong  encryption,  authentication,  and  secure  customer  connections.  Further,  the  financial 
institutions  that  originate  wire  transfers  have  stringent  internal  procedures  to  control 
them,  for  example,  requiring  multiple  confirmations.  The  backbone  network  itself  is 
robust,  including  online  backup  centers  that  can  recover  functions  within  minutes  of  a 
failure  of  a  primary  site. 

The  Federal  Reserve  provides  most  automated  clearing  house  services.  Financial 
institutions  forward  batches  of  transactions  via  Fednet  to  processing  centers  for  clearing 
and  settlement  against  other  institutions.  Transactions  include,  for  example,  direct  billmg 
payments  and  direct  deposits  of  payrolls,  dividends,  pensions,  and  benefits. 


33  NSTAC-Finance,  27. 

34  Ibid.,  16. 

4-15 


„  ,  °*lC"e  Paymen,s  s>'stems  the  Clearing  House  Interbank  Payments 

ysem  (  ),  which  is  rhe  primary  processor  for  international  dollar  payments  and  the 

rT  r  ™87SteI”  f°r  f°rei8n  eXCha"8e  tr£msactions-  Some  1 04  participants  are  linked 
o  the  CHIPS  data  center  by  dedicated  data  lines.  The  Society  for  Worldwide  Interbank 

Financial  Telecommunications  (SWIFT)  provides  a  secure  international  payment  message 

system  that  carries,  for  example,  instruction  messages  for  payments  made  via  CHIPS. 

The  bank  credit  card  systems,  Visa  and  MasterCard,  oversee  complex  networks  to 
auftonze  and  process  transactions.  Countless  point-of-sale  terminals  are  linked  by 
debated  or  dral-up  lines  to  a  network  of  third-party  processors,  can!  associations,  and 

2.  Banking  Systems 

Banks  have  taken  a  conservative  approach  to  adopting  new  technologies.  While 
competition  and  new  opportunities  have  driven  them  to  provide  many  new  cyber  services 
they  have  implemented  these  sendees  with  a  careful  eye  on  their  security  implications. 

Mission-critical  banking  applications  still  rely  overwhelmingly  on  legacy 
mainframe .computers  and  related  protocols.  The  NSTAC  study  found  little  indication  that 
s  would  soon  change.35  For  a  number  of  reasons,  the  mainframe  systems  are 
considered  more  secure,  reliable,  and  manageable  than  new  client/server  technologies 
be, „g  adopted  for  other  functions.  Most  imporiantly,  mainframe  technology  is  mature  and 
rts  vulnerabrht.es  are  understood.  Further,  because  legacy  software  systems  tend  to  be 
proprietary  or  custom, zed  with  little  or  no  online  documentation,  planning  an  attack 
would  require  much  „me  and  effort.  The  procedures,  protocols,  and  applications  would 
be  veiy  difficult  for  an  untrained  person  to  underatand  or  execute.  The  mainframe  systems 
are  also  considered  easier  to  control  and  easier  to  recover  a,  backup  sites  in  the  event  of  a 
primary  site  failure.  Computer  viruses  too  are  less  of  a  threat.  Cost  and  performance 

advantages  nevertheless  are  leading  banks  to  implement  TCP/IP  client/server  networks 
tor  many  non-core  applications. 

Banks  have  exposure  to  outsiders  through  both  remote  access  and  outsourcing 
Remote  access  to  at  least  some  of  a  bank’s  systems  is  used  for  telecommuting,  customer 
services,  and  adnumstration  and  maintenance  by  staff  or  vendors.  Banks  increasingly 
outsource  such  functions  as  software  development,  network  management,  and  transaction 

35  Ibid.,  50. 


4-16 


processing.  Further,  banks  are  not  always  successful  at  extending  their  security  policies  to 
their  vendors.  For  example,  consultants  and  contractors  who  work  alongside  bank 
employees  may  not  have  been  screened  as  thoroughly. 

Online  banking  is  growing  rapidly,  forcing  banks  to  confront  the  security 
implications  of  using  the  Internet.  Already,  39  of  the  largest  100  banks  are  offering  at 
least  the  minimal  banking  functions  of  online  bill  payment,  account  status,  and  account 
transfer.36  While  early  schemes  utilized  direct  dial-up  lines,  access  via  the  Internet  is 
increasingly  common.  In  either  case,  bankers  are  wary  and  limit  their  risk  by  screening 
transactions,  limiting  transaction  values,  and  using  encryption  for  authentication  and 
privacy.  Most  importantly,  bankers  are  isolating  their  customer  interfaces  and  Web  sites 
from  their  sensitive  internal  systems.  Sites  providing  account  information  and  financial 
transactions  are  not  directly  linked  to  a  bank’s  actual  cash  management  systems.  For 
example,  data  may  be  exchanged  only  once  or  twice  per  day,  typically  by  manual  batch 
file  transfers. 

Most  major  institutions  have  backup  data  centers  they  can  switch  to  in  the  event 
of  a  primary  center  outage.  Data  centers  may  also  have  uninterruptible  power  sources, 
generators,  and  on-site  fuel  storage.  Data  files  may  be  copied  and  stored  off-site.  Because 
of  their  great  dependence  on  communications,  banks  typically  seek  diversity  of  carriers 
and  routes  for  both  local  and  long-distance  links. 

3.  Securities  Market  Systems 

Stock  markets  and  commodity  exchanges  too  are  heavily  dependent  on  networked 
information  systems  and  have  a  high  concern  for  security.  Huge  volumes  of  transactions 
must  be  processed  and  trusted  ownership  records  must  be  kept.  Explosive  transactions 
growth  has  been  enabled  by  the  adoption  of  new  technologies. 

The  securities  infrastructure  includes  core  centers  for  clearing  and  settling  trades, 
for  example,  the  National  Securities  Clearing  Corporation  (NSCC)  and  the  Government 
Securities  Clearing  Corporation  (GSCC).37  As  a  procedural  control,  trades  are  executed 
only  after  confirmation  from  both  buyer  and  seller.  Functional  disruption  of  a  settlement 


36  See  “Is  Online  Banking  Ready  for  Your  Money?”  NetGuide, 
http://www.netguide.com/SnaDshot/Archive?guide=monev&id=  1 64,  October  31, 1999. 

37  Clearing  confirms  the  key  information  for  a  trade,  i.e.,  the  identity  and  quantity  of  the  item  traded,  the 
price  and  date  of  the  trade,  and  the  identity  of  the  buyer  and  seller.  Settlement  is  the  exchange  of 
payment  for  the  item  traded.  See  NSTAC-Finance,  18. 

4-17 


orgamzat.cn  would  probably  force  a  halt  to  trading  on  the  exchange  being  supported.  The 

Depository  Trast  Company  (DTC)  acts  as  the  securities  custodian,  using  an  electronic 

book-entty  system  to  record  ownerahip.  Most  securities  now  are  exchanged  as  book 
entries  rather  than  paper  certificates. 

Traditional  stock  markets  conduct  trading  on  the  exchange  floor.  The  NASDAO 

however  is  an  electronic  communications  network  that  consolidates  dealer  quotations 

mid  enables  electronic  trading.  NASDAQ  order  entry  and  execution  has  nevertheless 

typic  y  een  done  by  telephone.  Increasingly,  brokers  are  offering  online  services  for 
taking  orders  for  the  major  exchanges. 

F.  VULNERABILITIES  AND  THE  RESEARCH  AGENDA 

TTte  PCAST  proposed  the  LNIIP  as  a  focal  point  for  identifying  and  addrassing 

infrastructure  vulnerabilities.  The  tequircd  rcsearch  must  examine  the  general  issue! 

assoc, ated  mth  networked  information  systems  as  well  as  the  specific  challenges  posed 

y  the  application  of  these  systems  within  each  infrastructure  sector  and  between  critical 
infrastructure  sectors. 

This  research  requires  access  to  information  held  by  both  the  government  and  the 
private  sector-38  The  government  has  rcsponsibilities  for  identifying  teats  as  well  as 
valuable  experience  in  protecting  its  most  sensitive  networked  information  systems 
However  as  the  PCCD-  notes,  only  the  owners  and  operators  of  the  critical  infrastructures 
have  the  knowledge,  access,  and  technology  needed  to  defend  their  systems.3’  There  is  a 
need  to  understand  the  vulnerabilities  in  U.S.  infrastructure  sectors,  and  to  do  this,  a  way 
must  be  found  for  the  government  and  private  sector  to  work  collaboratively 


Dependent  Infrastructures  ”  Information  ^ Imr^t  u  Ste?hen  Lukasik,  “Protecting  Information- 
1999, 4.  ’  InJormatlon  ImP^ts  Magazine,  http://www.cisn.orfr/imp/  September 

39  See  PCCIP,  Critical  Foundations,  24. 


4-18 


Part  III 


Functions  Needed  for  Infrastructure  Protection 


Chapter  5 

FUNCTIONAL  ASSESSMENT:  OVERVIEW 


This  chapter  focuses  on  each  of  the  functional  areas  that  have  been  identified  for 
strengthening  infrastructure  protection.  In  each  functional  area,  we  draw  on  the  results  of 
our  interviews  and  workshops  to  describe  the  nature  of  the  functions  that  need  to  be 
performed  in  greater  depth.  We  then  consider  the  degree  to  which  existing  organizations  are 
performing  some  or  all  of  these  functions,  or  are  engaged  in  closely  related  activities.  The 
purpose  is  to  better  delineate  the  needed  functions,  and  then  to  determine  whether  it  makes 
the  most  sense  to  assign  a  function  to  an  existing  organization  or  to  place  it  in  a  new 
organization. 

This  chapter  introduces  our  approach.  It  describes  the  functional  areas  reviewed  and 
identifies  the  organizations  that  are  assessed  in  this  section. 

A.  THE  FUNCTIONAL  AREAS 

The  functional  assessment  focuses  on  one  overarching  management  function  and 
four  programmatic  functional  areas.  The  programmatic  functions  include  research  and 
development,  information  sharing,  product  evaluation,  and  educational  initiatives.  (See 
figure  5-1.)  The  successful  performance  of  these  functions  is  necessary  to  meet  the  R&D- 
related  goals  set  forth  in  Presidential  Decision  Directive  63,  and  elaborated  upon  by  the 
PCAST  proposal. 

Our  interviews  and  workshops  revealed  general  support  for  this  taxonomy  of 
functions,  and  broad  agreement  that  more  can  and  should  be  done  in  each  area. 


5-1 


’•  activities)!”11^  *"  ™„?  (Specific  orations/ 

2.  What  elements  are  not  being  perfonned?  Are  there  known  shortfalls  or  gaps? 

■  mat  changes  to  current  organizations  would  yield  the  desired  results?  Are  they 

4' 

entity?  arguments  in  favor  of  and  against  formation  of  a  new 

5'  10  Pr0Vide  “ '  «—  foe.  for  the  Amotion,  and 

~  “  * i sr  -  •'  - 

- - —  M-  0r°a"fe»«<>"s  Reviewed  In  Each  Functional  Are. 

Research  and  Development  :  — _ _ _ _ _ _ 

Private  Sector  (EPFtl,  Telcordia)  „  .  ‘°SaaaBa  Sharina 

. .  .  '  Private  Sector  (FS-ISAC^ 

Universities  (Purdue,  INFOSEC  centers  of  i  in- 

sxcellence )  cemers  or  Universities 


Research  and  Development 
Private  Sector  (EPRl,  Telcordia) 

axcS^,(PUrdUe- INF0SEC  of 

Government  (NSA,  DARPA,  NIST,  NSF  DOD 
Laboratones,  National  Laboratories)  ’ 

Product  and  Service  Evaluation 
Private  Sector  (BITS  laboratory,  ICSA) 
Universities 

Government  (NSA,  NIST,  NIAP) 

I  Accreditation  ((ISC)2,  ISACA) 

Standards  (ANSI,  IETF) 


Government  (CERTs,  NIPC,  NSTAC-NSIE) 

Education  and  Training 

Private  Sector  (AFCEA,  CISCO,  etc.) 

Universities  (INFOSEC  Centers  of  Excellence 
Naval  Postgraduate  School)  ence' 

Government  (NSTISSC,  NSF) 


5-4 


The  baseline  review  gave  us  an  appreciation  for  the  broad  scope  of  ongoing  activity 
in  the  public,  private,  and  academic  sectors  on  cyber  infrastructure  protection  issues,  and 
initiatives.  With  this  perspective,  we  summarize  our  analysis  in  the  following  chapters. 


Chapter  6 

RESEARCH  AND  DEVELOPMENT 


R&D  will  be  the  principal  function  of  the  proposed  I3P.  The  view  that  the 
nation’s  R&D  efforts  need  substantial  strengthening  is,  of  course,  the  central  motivation 
for  the  PCAST’s  proposal  to  create  a  new  R&D  organization.  The  public  and  private 
sectors  are  funding  a  great  deal  of  information  assurance  research,  and  their  investments 
in  this  area  have  grown  significantly  in  recent  years.  These  efforts  nevertheless  still  fall 
short  of  what  is  required,  and  some  experts  believe  that  the  Nation’s  vulnerabilities  to 
cyber  attacks  are  growing  faster  than  ever  before.  There  is  a  widespread  view  that  funding 
is  inadequate  now  for  R&D  focused  on  understanding  and  addressing  the  vulnerabilities 
in  the  Nation’s  critical  infrastructure  sectors.  More  research  is  needed  to  identify  and 
address  such  vulnerabilities,  especially  those  that  expose  infrastructures  to  large-scale, 
coordinated  attacks  that  could  have  catastrophic  consequences.  A  national  focal  point  is 
required  both  to  coordinate  the  research  that  is  being  done  and  to  ensure  that  priority 
requirements  are  met.  This  chapter  reviews  current  activities  and  identifies  the  roles  that 
the  I3P  should  perform. 

A.  R&D  REQUIREMENTS 

Several  systematic  reviews  have  identified  the  kinds  of  R&D  that  are  needed,  and 
have  outlined  these  requirements  in  formal  R&D  roadmaps.  This  section  summarizes  the 
current  understanding  of  R&D  requirements.  This  starting  point  was  then  used  to 
determine  the  extent  to  which  current  activities  are  meeting  R&D  needs,  and  to  determine 
which  tasks  ought  to  be  assigned  to  a  new  organization. 

1.  PC  AST  Proposal 

The  PC  AST  saw  a  need  for  a  dedicated,  well-staffed  national  laboratory  focused 
on  assuring  the  long-term  cyber  security  of  the  nation’s  critical  information  infrastructure. 


6-1 


Accordingly,  i,  proposed  the  establishment  of  a  new  not-for-prefit  organization  in  the 
pnvate  sector,  to  conduct  research  and  deveioP  technology  to— 

Gam  a  systematic  understanding  of  vulnerabilities 
‘  ££?  3  ^  of  the  robustness  and  resiliency  of  complex 

•  Create  the  means  to  assure  graceful  degradation  under  stress 

2.  IDA  Interviews  and  Workshops 

,The  ,’°A  'nterviews  and  workshops  indicated  that  much  of  the  commercial 
ms^rch  and  developmmtt  in  the  information  assurance  field  is  driven  by  near-term 
ar  e  opportunities.  Within  the  government,  most  R&D  is  funded  by  the  Department  of 
Defense,  and  the  focus  is  generally  on  the  government's  infrastructural 

-  Whi'e  ,he  aPProP™te  "OPTO  of  the  research  agenda  (i.e.,  basic  science  Iarae-scale 
ystems  architectures,  or  product  engineering)  remains  to  be  detemtined,  there  is  general 
agreement  on  the  need  to  land  long-term  basic  researeh,  especially  to  identify  and  address 
the  vulnerabilities  associated  wifi,  complex  in, delated  systems  UnivII  e^ 
particularly  focus  on  die  need  to  establish  a  "science  of  information  security”  1,  ££ 

Er  SLsrr  zis-rr  - 

frequently  expressed  file  concern  ttta,  much  more  sy^Ia&t tbZZ 
the  forensic,  legal,  and  judicial  implications  of  the  information  age. 

Apart  from  concerns  with  the  gaps  in  current  R&D  activities,  there  is  a  general 
cent  over  e  ack  of  effective  mechanisms  for  disseminating  and  making  new 
research  results  widely  available.  This  has  prevented  effective  exploited™  0f  Z 
earn  currently  being  done.  Such  communications  gaps  also  inhibit  the  establishment 
of  a  coherent  researeh  agenda  that  effectively  identifies  and  prioritizes  I 

limitations  in  the  current  state  of  knowledge.  Nevertheless,  industiy  seems  to 

m ■*  — ■*  — * — -  «•— .. ... 

in  mis'  h  addW°n’  m0S‘  °f  lh°Se  interviewed  agree  that  government  should  take  the  lead 

intervtew^rid'1’6  T  ““  ^  toftaS,ructare  -‘■’-abilities.  Executives 
erviewed  for  tins  smdy  indicate  tiia,  their  companies  are  increasingly  aware  of  tile  risks 


6-2 


associated  with  day-to-day  hacking  and  criminal  attacks,  but  they  generally  do  not 
consider  the  risks  associated  with  larger,  orchestrated  attacks  such  as  might  result  from 
cyber  terrorism  or  cyber  attacks  mounted  by  a  nation  state. 

3.  R&D  Roadmaps 

The  R&D  needs  identified  by  the  PCAST  proposal  and  reinforced  by  the  IDA 
review  are  consistent  with  several  detailed  reviews  and  roadmapping  activities  performed 
in  recent  years.  These  activities  are  highlighted  here  to  provide  context  for  our  study,  as 
well  as  to  suggest  the  logical  starting  point  for  subsequent  efforts  to  develop  a  detailed 
assessment  of  the  unmet  R&D  needs  in  this  area.  The  required  R&D  areas  identified  in 
each  review  are  summarized  here  and  arrayed  in  Table  6-1. 

•  Critical  Infrastructure  Protection  R&D  Interagency  Working  Group  (CIP 
R&D  IWG)  capitalized  on  the  “Preliminary  R&D  Roadmap  for  Protecting  and 
Assuring  Critical  National  Infrastructures”  prepared  for  the  Transition  Office 
of  the  PCCIP.  This  effort  identified  and  examined  some  71  R&D  programs  in 
six  broad  infrastructure  categories  across  all  the  sectors. 

•  Argonne  National  Laboratory  coordinated  preparation  of  a  report  for  the 
PCCIP,  “Technology  R&D  Roadmap  for  Protecting  the  Information  and 
Communication  Infrastructure.”  This  study  identified  four  major  research 
thrust  areas  and  13  prioritized  R&D  needs. 

•  Sandia  National  Laboratories,  aided  by  industry  experts  prepared  “U.S. 
Infrastructure  Assurance  Strategic  Roadmaps”  for  the  Transition  Office  of  the 
PCCIP.  This  sector-by-sector  review  assessed  the  vulnerabilities  of  the  critical 
infrastructures  and  recommended  protection  strategies.  It  sets  forth  six 
roadmaps  designed  to  guide  the  improvement  of  infrastructure  surety  and 
serve  as  strategic  plans  for  the  development  and  introduction  of  technologies 
and  policies  into  each  of  the  critical  sectors.  A  key  priority  is  to  research, 
develop,  and  deploy  advanced  communications  and  information  technologies 
and  systems  to  address  vulnerabilities. 

•  Trust  in  Cyber  Space  documents  a  review  of  R&D  needs  performed  by  the 
National  Academy  of  Sciences/National  Research.  This  is  an  extensive 
examination  of  networked  information  systems,  their  vulnerabilities,  and 
alternative  solutions.  The  book  provides  a  detailed  agenda  for  the  conduct  of 
research  to  address  the  trustworthiness  of  networked  systems. 

•  Software  Engineering  Institute  (SEI)  at  Carnegie  Mellon  University  proposed 
an  Information  Assurance  Research  Institute  (LARI)  that  would  follow  a 
careful,  systematic  approach  in  developing  technologies  needed  for  cyber 
protection  of  the  national  information  infrastructure  across  all  the  connected 

6-3 


Rories  and  Wo^  produce  validated 

££?  iTte'  rrent  of « 

of  eedback  to  the  science  research  on  th  •  nflneerin8  segment  would 
of  research  results.  The  evolvfn!  °  imPlicati°ns  and  applicabllitv 

discipl,newouldfomaMyof  8  science  foundation  and  engineering 

r  pr08rams  in  *  Moratory  environ m»?  Ve  edUM,ion  ^  technology 


Vulnerability  Mm*mm SSBBbb 

Detection  and  v,  j  S’  T/1rea,s  and 

Analysis  Vulnerabilities 

Intrusion  Detection  ni^l®r  ,ncident 

andWarninn  °"  ?etecf'°n, 


- 

for  lnfonwation  Assurance  pan 


I  and  Warning 
Authentication 
I  Technologies 
Artificial 
I  Intelligence 
Simulation  Tools 
I  and  Models 
I  Interdependency 
I  Analyses 
Trend  Analyses 
Response  and 
Recovery 
[  Technologies 
Test  Facilities 


- *vwilUI|( 

Response  and 

Recovery 

Building  High 

Confidence 

Infrastructures 

Modeling  and 

Simulation 


Communications 
and  Information 
Electric  Power 
Oil  and  Gas 
Banking  and 
Finance 
Transportation 
Emergency 
Services 


y  w— Mai 

Software  Design 
and  Planning 


SSSSST"  tt-E 


"'icyraiic 
and  Assurance 
Access  Control 
Identification  and 
Authentication 
Systems 

Cryptography  and 
Public-Key- 
Infrastructures 
Network  Access 
Control 

Operating  system 
Security 

Types  of  Firewalls 


Createandvaii^2 

a  science  of 


Assurance 
Develop  a  science- 
based  engineering 
discipline 
Conduct  policy 
development, 
technology  transfer 
and  education  to 
improve  the  state 
of  the  art  and 
practice  of 
Information 
Assurance  J 


^  *n«d^,eir  recommendations  by  examining  the 

^  activities  that  ^  W  «  ***  generic, 

ratter  than  focusing  on  the  specific  needs  of  •  aCross  3,1  hrtnstructure  sector 

<0  be  addressed  in  defining  R*D  nwfs  „  **  ""  *“  ^ 

_ _  oderemune  the  appropriate  balance  between 

To  gflin  a  sense  of  how  nppHc 

0Ptir  7*‘d  by  C,P  ' 18  *  “C,0rc-  “ iS  *>  -Pie  some  FV  2001  R&D 

;  y  (energy  syaem  ,  '™  eraM“y.  enhancedJAVA 

.  Sr m"0"  <«™rener.pSM  Z^TolT"  f°r  **  <»*««») 

of  waKr  ) 


6-4 


to  be  addressed  in  defining  R&D  needs  is  to  determine  the  appropriate  balance  between 
R&D  that  focuses  on  problems  that  cut  across  all  sectors,  and  problems  that  are  unique  to 
individual  sectors. 

4.  Needed  R&D  Functional  Tasks 

Our  review  finds  broad  agreement  on  the  kinds  of  R&D  that  are  needed  to  identify 
and  address  infrastructure  vulnerabilities.  The  main  elements  of  an  overall  national 
program  are  discussed  below. 

First,  the  breadth  of  proposed  research  topics  ranges  from  building  a  scientific 
foundation  to  creating  many  kinds  of  here-and-now  technologies.  This  range  is  illustrated 
in  Table  6-2,  which  presents  a  research  framework  developed  for  an  earlier  IDA  study.2 
In  this  framework,  fundamental  research  is  needed  to  build  a  scientific  foundation  to 
support  system-level  engineering,  which  is  necessary  to  integrate  individual  components 
into  secure  systems  and  networks.  As  discussed  below,  existing  research  tends  to  focus  on 
component  development,  particularly  in  the  private  sector.  The  need  for  system-level 
engineering  may  be  even  more  urgent,  but  it  is  a  very  difficult  area  that  lacks  a  scientific 
foundation.  For  the  critical  infrastructure  sectors,  any  requirements  for  sector-specific 
research  are  most  likely  to  fall  under  the  headings  of  system  engineering  and  component 
development. 

Table  6-2.  Framework  for  Information  Assurance  Research 


IpjiiillllS 

WSKKHKKm 

Protection  Concepts  &  Principles 

System  Architecture 

Security  Management 

System  Complexity  Issues 

Heterogeneous  Component 

Intrusion  Detection 

Integration 

Secure  Interoperability  and 
Evolvability 

Identification  and  Authentication 

Vulnerability  Analysis 

Trust  Concepts 

Applied  Engineering  Research 

Smart  Cards 

System  Assurance 

Networking 

Standards 

Applications 

Secure  Operating  Systems 

Applied  Cryptography 
Hardware-based  Security 

2  See  William  T.  Mayfield  et  al.,  Commercial  Perspectives  on  Information  Assurance  Research,  IDA 
Paper  P-3359,  October  1997, 24. 


6-5 


abou,w":“““ 

^  rchanisms  ,o  s*  “  Md  ,o  -« - 

zrr 

perspective  that  integrates  across  sectors  and  considers  the  cascading  Effect  of  attZkJ 
’  there  is  a  need  for  a  national-level  R&D  agenda  with  a  strategic  focus. 

infonnafon  "^e“re^rarl  tL8™1”"  “  “  mtet“ding  of  die 

i-teveiirvu^ri^zr^8  a  —«  - 

cyber  syste^oftteTf  T  f<>nnUla,i0n  *  *  “ti°na' reSeard>  **  &r  Protecting  <he 

~  - 

•  ®  esearcn  plans  is  necessary  in  order  tn  iri^rvH'Ar 

serious  gaps  and  shortfalls.  Tracking  research  nm^c  •  •  *  d  fy 

opportunities.  P  ^  lmp0rta”' for  sPotting  technical 

r  ™ sssrircsi-r  its 

n^  ru,,7r,an,uR&D  m  "0‘  bein®  adec,uate,y  addressed  today.  There  “ 

r™““=;.7^rrj ^rzr-; 

through  existing  R&D  mechanisms.  Y  keIy  t0  find  support 

B.  EXISTING  R&D  ACTIVITIES 

sectors  n°ted  6arl,ler’  R&°  eXpenditures  are  growing  in  both  the  private  and  public 

In  a,W  magn^  SeC,OT  R&°  is  n0,  known  with  ^  ^gree  of  precision 

In  a  ,997  survey.  Mayfield  e.  a,,  estimated  die  information  assume  rL  exiles 


6-6 


of  12  major  IT  corporations  to  be  in  the  range  of  $200  to  $500  million.3  This  is  an 
incomplete  estimate,  and  given  the  rapid  growth  of  sales  in  this  area,  R&D  spending  can 
be  expected  to  have  increased  in  these  firms  since  1997.  The  R&D  being  performed  by 
industry  is  focused  predominately  on  the  development  of  next-generation  product 
releases,  and  therefore  has  been  very  near-term  in  perspective.  Executives  interviewed 
for  this  study  indicated  that  the  fast  pace  of  the  competitive  marketplace  simply  did  not 
allow  them  to  focus  beyond  near-term  market  requirements. 

The  kinds  of  products  being  developed  by  industry  include  firewalls,  intrusion 
detection  devices,  networking  components,  smart-card  technology,  cryptography 
applications,  and  other  security  management  tools. 

At  the  federal  level,  the  budget  request  for  R&D  to  support  critical  infrastructure 
protection  amounts  to  almost  $500  million.  The  major  government  R&D  programs  are 
described  below. 

1.  Government  Infrastructure  Protection  R&D  Activities 

Table  6-3  shows  that  most  of  this  federal  funding  if  provided  through  DOD 
programs 


Table  6-3.  FY2000  Government  Agency  Budget  Requests 
for  Critical  Infrastructure  Protection  R&D 


Defense 

352.0 

Transportation 

57.0 

Energy 

36.4 

National  Science  Foundation 

18.4 

Commerce 

11.4 

Interior 

4.0 

Justice 

3.4 

National  Aeronautics  and  Space  Administration 

2.6 

Total 

485.2 

3  William  T.  Mayfield,  Ron  S.  Ross,  Stephen  R.  Welke,  and  Bill  Brykczynski,  Commercial  Perspectives 
on  Information  Assurance  Research,  Institute  for  Defense  Analyses,  IDA  Paper  P-3359,  October  1997. 
These  estimates  are  based  on  industry  reports  that  they  were  devoting  about  1%  to  3%  of  their  total 
R&D  on  information  assurance  issues. 

6-7 


a. 


Critical  Infrastructure  Protection  R&D 
(CIP  R&D  IWG) 


Interagency  Working  Group 


At  the  national  level,  the  Office  of  Science  and  Technology  Policy  (OSTP)  is 
responsible  for  coordinating  R&D  agendas  and  programs  across  the  government  In  the 
infrastructure  protection  area,  OSTP  does  this  through  a  working  group  under  the 
National  Science  and  Technology  Council  (NSTC).  This  working  group  is  the  CIP  R&D 

IWG.  It  is  responsible  to  both  the  National  Security  Council  (NSC)  and  the  NSTC.  (See 
Figure  6-1.) 


National 
Science  & 
Technology 
Council 


Committee 

on 

National 

Security 


Committee 

on 

Technology 


Critical 

Infrastructure 

Coordinating 

Group 


National 

Security 

Council 


SEVEN  SUBGROUPS 


Figure  6-1.  Critical  Infrastructure  Protection 
R&D  Interagency  Working  Group 


The  CIP  R&D  IWG  is  charged  with: 

•  Monitoring  and  coordinating  ongoing  and  planned  government  R&D 

•  Fostering  conditions  for  developing  a  close  R&D  partnership  with  the  private 
sector,  academia  and  international  groups 

•  Facilitating  transfer  of  technology  from  government  agencies  to  the  private 

OAofrvt*  “ 


6-8 


The  CIP  R&D  IWG  is  examining  R&D  options  across  several  infrastructure 
sectors  (i.e..  Banking  and  Finance,  Information  and  Communications,  Energy, 
Transportation,  and  Vital  Human  Services),  identifying  high  priority  cross-cutting 
common  needs,  and  sponsoring  R&D  workshops. 

Two  other  offices  also  play  a  role  in  coordinating  federal  R&D  in  this  area.  The 
first  is  the  National  Coordinating  Office  for  Computing,  Information,  and 
Communications  R&D  (NCO/CIC).  It  works  to  develop  and  implement  government- 
wide  R&D  agendas  in  designated  program  areas.  Examples  include  the  High-Confidence 
Systems  (HCS)  working  group,  and  the  Large-Scale  Networking  (LSN)  working  group. 
Although  information  assurance  is  not  an  NCO  program  area,  many  of  the  same  officials 
are  involved  in  both  the  NCO  and  the  CIP-IWG,  and  many  of  the  program  issues  are 
closely  related.  A  second  office  that  assists  in  coordinating  R&D  is  the  Critical 
Infrastructure  Assurance  Office.  The  CIAO  provides  support  to  the  National  Coordinator 
for  Critical  Infrastructure  Protection  and  Counterterrorism. 

b.  Department  of  Defense  (DoD)  Activities 

Table  6-3  indicates  that  most  of  the  government’s  R&D  funding  is  provided  by 
the  Department  of  Defense.  The  Defense  Advanced  Research  Program  Agency 
(DARPA),  NSA,  and  the  Military  Departments  are  the  principal  sources  of  funding. 
Recently  the  DoD  established  the  Defense- Wide  Information  Assurance  Program  (DLAP) 
to  coordinate  activities  across  the  Department.  These  DoD  activities  are  reviewed  here. 

Defense-Wide  Information  Assurance  Program  (DIAP) 

The  DoD  Chief  Information  Officer  (CIO)  has  department  responsibility  for 
information  assurance  and  uses  the  DIAP  as  the  mechanism  to  carryout  that  role.  With 
respect  to  research  and  technology,  the  DIAP  provides  for  R&D  of  information  assurance 
technologies  consistent  with  current  and  anticipated  mission  needs.  The  intent  is  to 
leverage  research  throughout  DoD,  the  government,  the  private  sector,  and  academia. 

Defense  Advanced  Research  Projects  Agency  (DARPA) 

DARPA  is  a  DoD  agency  charged  with  the  mission  of  maintaining  U.S. 
technological  superiority  across  a  broad  range  of  R&D  fields.  Its  Information  Technology 
Office  (ITO)  and  Information  Systems  Office  (ISO)  are  pursuing  initiatives  related  to 
detecting  cyber  attacks  against  networks,  countering  the  attacks,  and  repairing  the 
damage.  The  chief  mechanism  used  by  DARPA  is  to  fund  a  broad  swath  of  external 


6-9 


research  projects  through  a  series  of  Broad  Area  Announcements  (BAAs),  which  are  calls 
for  proposals  from  indushy.  Currently,  BAAs  have  been  released  for  several  hundred 
nullum  dollars  in  infonnation  technology  and  information  assurance  study  areas. 

DARPA  programs  address  both  component  technology  and  network-level 
ormation  assurance.  In  recent  years,  for  example,  DARPA  has  managed  component 
technology  programs  for: 

2“^  and  response’  Eluding  developing  algorithms,  protocols, 

*  SbMmwI15’  “E  d°main  ‘md  ^  enf0rcen,en'  fireWalIs  “d 

“’'T  meth0dS’  includin8  wileless  identification  systems,  certificate 
authority  workstations,  and  the  security  services  desk  concept 

•  Dynamic  virtual  private  networking 

Wrappers,  to  enable  the  secure  use  of  legacy  operating  systems 

A  major  new  program  will  address  information  assurance  and  survivability  at  the 
network  level,  aimed  particularly  at  providing  security  and  survivability  for  DOD’s  next 
generation  information  infrastructure.  Among  other  things,  this  effort  will  develop: 

Network  security  architectures,  integrating  component  technologies 

•  Infonnation  assurance  science  and  engineering  tools,  developing  an 
un  erlying  science  that  permits  a  formal  understanding  of  information 

ro7bX  "r  enab!ing  thC  CrCating  °f  metrics’  ™*hods,  and  tools  to 
support  both  the  design  and  assessment  of  information  systems 

Infrusion  tolerant  systems,  including  architectures  and  techniques  to  enable  the 
fielding  of  systems  that  respond  to  intrusions  with  actions  that  ensure 
continued  correct  and  timely  user  services  even  in  the  face  of  an  attack 

#  Tntr01  teChniqUeS’  includinS  a  strate^  cyber  decision 

support  system  to  help  commanders  thwart  information  warfare  campaigns 
while  maintaining  operational  functions  6 

.  Autonomic  infonnation  assurance,  including  a  distributed  operational  systems 
Mtonoi7°rk  ,0  teC<  and  taCtiCally  respond  t0  deflned  classes  of  attacks 

DARPA  s  programs  are  executed  through  private  contractors,  universities,  and 
nahonal  laboratories.  The  work  is  designed  to  support  the  protection  of  DOD's 
ormation  systems  and  is  specialized  to  some  degree  for  military  situations  and 


6-10 


particular  types  of  systems.  In  many  cases,  however,  the  results  may  also  prove  useful  for 
the  protection  of  civilian  infrastructures  and  generic  information  systems. 

c.  National  Security  Agency  (NSA) 

This  DoD  agency’s  primary  mission  is  to  provide  signals  intelligence  and 
communications  security  activities  for  the  government,  including  DoD  information 
systems  security  and  operations  and  security  training.  The  NSA’s  Information  Systems 
Security  Organization  (IS  SO)  has  the  responsibility  for  information  security  matters  and 
uses  its  National  Computer  Security  Center  to  assist  in  security  research  efforts.  A  broad 
INFOSEC  technology  program  is  underway  to  achieve  five  basic  objectives: 

•  Anticipate  emerging  information  technologies  and  design  programs  and 
architectures  for  the  development  of  security  solutions 

•  Build  a  broad  INFOSEC  knowledge  base  through  advanced  research  in 
information  processing,  communications  and  security  technologies 

•  Develop,  test,  and  demonstrate  new  approaches  to  information  security 

•  Coordinate  national  INFOSEC  R&D  activities 

•  Preserve  cryptographic  preeminence 

Specific  research  topics  are  detailed  in  NSA’s  Information  System  Security 
Research  Program  Plan,  which  describes  work  in  41  separate  technical  areas  directly 
related  to  cyber  protection  of  infrastructure  resources.  Examples  include: 

•  Network  Boundary  Identification 

•  Security  Implications  of  Physical  Layer  Changes 

•  Biometrics 

•  Trusted  Operating  System  Prototype 

•  Damage  Taxonomy 

•  Detection  Taxonomy 

•  Recovery  Taxonomy 

•  Public  Key  Cryptography 

•  Quantum  Cryptography 

•  High  Speed  Security 

•  Formal  Methods 

•  Anti-tamper  Techniques 

•  Risk  Management  Tools 

6-11 


Supporting  NS  A  activities  include: 

•  Advanced  Research  and  Development  Activity  (ARDA).  It  was  established  to 
independently  formulate  strategic  goals  and  guidance  for  a  strategic  plan  for 
advanced  R&D  in  information  technology.  ARDA  is  pursuing  research  to  develop 
algorithms,  techniques  and  enabling  core  technologies  in  nine  separate 
information  technology  thrust  areas. 


CJ*S*a™h  Comcil  (IRC>-  Sponsored  by  NSA,  other  participants  are 
DARPA,  NIST,  DOE,  NSF,  and  the  Military  Services.  The  IRC  objective  is  to 
share  the  details  of  information  security  and  information  assurance  R&D 

programs  across  government,  universities,  and  contractors,  focusing  on  R&D 
topics. 


•  Information  Operations  Technology  Center  (IOTC).  This  NSA  based  center  is 
focused  on  developing  tools  and  techniques  needed  to  conduct  information 
warfare.  It  was  established  in  March  1997  by  the  SECDEF  and  DCI  to  respond  to 
the  need  for  a  single  center  to  integrate  diverse  service  and  intelligence 
community  offensive  information  operations  technology  efforts,  and  to  establish 
and  maintain  a  national  repositoiy  of  these  techniques. 

d.  Military  Departments 

The  Military  Services  fund  a  range  of  information  assurance  R&D  activities  in 
their  laboratories.  The  Naval  Research  Lab,  Air  Force  Rome  Labs,  and  the  Army 
Research  Labs  are  examining  basic  and  applied  research  efforts  on  a  variety  of  topics 
directly  related  to  information  and  infrastructure  protection  goals.  They  participate  in 
DoD  fora  and  interagency  efforts  to  exchange  and  coordinate  ideas  and  best  practices. 


2.  Department  of  Energy 

The  Department  of  Energy  funds  R&D  on  infrastructure  protection  at  the  National 
Laboratories.  In  addition,  the  laboratories’  development  of  advanced  computing  and 
networking  to  support  the  Stockpile  Stewardship  Program  has  necessitated  developing 
information  assurance  technologies  and  methods.  The  National  Laboratories  therefore 
represent  a  major  source  of  technical  expertise  in  this  area. 

Sandia  operates  DOE  systems  engineering  laboratories  whose  primary  mission  is 
guaranteeing  the  surety  of  the  nuclear  weapons  stockpile.  Additionally  it  has  the  mission 
to  improve  the  surety  of  the  nation’s  energy  infrastructure.  Sandia  used  its 


6-12 


multidisciplinary  technical  capabilities  to  assist  the  President’s  Commission  on  Critical 
Infrastructure  Protection  (PCCIP)  in  areas  such  as: 

•  Coordinating  infrastructure  assurance  strategic  R&D  roadmaps  with  the 
private  sector. 

•  Modeling  interdependencies  of  the  critical  infrastructure  to  identify  system 
interactions  and  predict  responses  to  disruptions. 

•  Examining  information  assurance  technologies  for  key  management  systems, 
cryptography,  authentication,  high  surety  hardware/software,  monitoring,  and 
detection  systems. 

•  Conducting  vulnerability  assessments  and  systems  analysis  to  identify  critical 
nodes  and  networks. 

•  Conducting  research  at  Argonne  National  Laboratories  to  address  basic 
science  (including  computer  science),  scientific  facilities,  energy  resources, 
and  environmental  management.  Argonne  took  the  lead  for  coordination  of  the 
PCCIP  report  on  an  “R&D  Roadmap  for  Protecting  the  Information  and 
Communications  Infrastructure  in  the  U.S.” 

Lawrence  Livermore  and  Los  Alamos  National  Labs  each  have  extensive 
information  assurance  programs  developed  to  protect  highly  sensitive  data  and  computer 
codes  used  in  nuclear  weapon  design. 

3.  Department  of  Commerce 

The  Department  of  Commerce  (DOC)  has  a  multifaceted  role  with  respect  to 
national  information  infrastructure  protection: 

•  Establishing  partnerships  with  the  private  sector  to  develop  and  advance 
dialogues  and  activities  to  improve  infrastructure  security. 

•  Operating  the  National  Institute  of  Standards  and  Technology  (NIST)  designed 
to  meet  the  cyber  security  testing  requirements  of  Information  Technology 
users  and  producers,  public  and  private. 

•  Providing  the  resources  for  the  operation  of  the  Critical  Infrastructure 
Assurance  Office  (CIAO),  which  is  charged  with  integrating  private  sector 
plans  into  a  national  infrastructure  assurance  plan  and  coordinating  analyses  of 
critical  infrastructures. 

Each  of  these  endeavors  is  being  pursued  vigorously.  The  DOC  has  reached 
organizational  agreements  with  several  Private  Sector  Coordinators  [e.g., 
Telecommunications  Industry  Association  (TIA),  Information  Technology  Association  of 


6-13 


created  an  indJdy-gove^t  I' ^  te  3,80 

Security”  which  includes  more  than  80  lead*  ^ership  for  Critical  Infrastructure 

Microsoft,  AT&T,  Cisco  Systems,  Citigroup,  ^0^  Eddi^n)US,Iy  aSS°Cia,i°nS  (e  g” 

on  7^2  <^>  -**.  conceufta.es 

of  measuring  t0  assist  10  ^  « 

objective  criteria.  The  ITL  assists  the  Naf  TTV”  pr0duct  eva|nation  based  on 
(MAP),  a  NIST  collaboration  with  the  Nations  0rma,i°n  ASSUranCe  Pa"ncrship 
testing  requirements  of  both  the  public  and  nri  eCUnty  A8e”Cy  10  meet  the  securit>' 
methods,  and  tests  for  speciS^ T T  ^^^2 

They  serve  as  the  nation's  center  of  expertise  d  '°B  teCh”°l0gy  securit>'  Products, 
community.  ^  and  res°“rc«  for  the  security  testing 

As  noted  earlier  the  PTAn  •  * 

Critical  Infrastructure  Protection  and  Counter!  SUPP°rt  !°  Ae  NatlonaI  Coordinator  for 
staff  structure.  Its  chief  activities  include  the  dr  T*18™.  “  th®  NationaI  Security  Council 
Protection,  promotion  of  private  sector  led  °  *  Natl°nal  Plan  for  ^frastructure 
partnership  arrangements.  The  National  Plan  ren  .°™atl°n  Shanng  311(1  PubIic-private 
areas  of  interest:  portedly  covers  the  following  10  principal 

Identify  and  address  vulnerabilities 
•  Detect  and  respond  to  attacks 

^^^“o'olain/coordinate  law  enforcement  capabilities 

^  thB  °”  ^  «■*  Widi  private  sector 

rcate  capabilities  for  response,  recons, itution,  and  recover 

•  Promote  research  and  development 

•  Promote  training  and  education 

•  Conduct  Outreach  Programs  to  educate  private  sector 

•  Ensure  industry’s  privacy  in  information  sharing  program 

eview  aggregate  budgets  and  potential  organization  for  national  IA. 


6-14 


4.  National  Science  Foundation 

The  National  Science  Foundation  (NSF)  is  an  independent  agency  of  the  U.S. 
government  with  the  mission  of  promoting  science  to  advance  national  health,  prosperity, 
welfare,  and  defense.  The  focus  of  interest  for  national  information  infrastructure 
protection  is  its  Directorate  for  Computer  and  Information  Science  and  Engineering 
(CISE).  The  NSF  has  recently  awarded  some  50  grants  related  to  information  technology 
(IT)  in  topic  areas  such  as  the  following: 

•  A  project  to  increase  competition  in  naming  internet  domains 

•  High  data  rate  wireless  internet  connections 

•  IT  research  in  a  competitive  world 

•  Development  of  an  undergraduate  major  in  IT 

The  NSF  essentially  administers  grants,  contracts  and  R&D  programs  to  foster  the 
interchange  of  scientific  information,  methods,  technologies  and  research.  Its  Director  is 
appointed  by  the  President  and  it  reports  to  the  National  Science  Board  comprised  of  24 
members.  The  NSF  fulfills  its  mission  by  also  performing  the  following  activities: 

•  Award  fellowships  to  perform  research  in  selected  areas 

•  Foster  development  and  use  of  computers  and  other  scientific  methods  and 
technologies,  primarily  for  research  and  education  in  the  sciences 

•  Evaluate  status  and  needs  of  the  various  sciences  and  engineering  and 
correlate  research  and  educational  programs  with  other  Federal  and  non- 
Federal  programs 

•  Maintain  register  of  scientific  and  technical  personnel.  Provide  a 
clearinghouse  for  collection,  interpretation,  and  analysis  of  data  on  scientific 
and  technical  resources  and  provide  information  for  policy  formulation  by 
other  Federal  agencies 

•  Determine  amount  of  Federal  money  received  by  universities,  et  al,  for 
scientific  and  engineering  research,  including  basic  and  applied 

•  Initiate  and  support  specific  scientific  and  engineering  activities  relating  to 
international  cooperation,  national  security,  and  the  effects  of  science  and 
technology  on  society 

•  Initiate  and  support  scientific  and  engineering  research,  including  applied 
research,  at  academic  and  other  nonprofit  institutions 


6-15 


*  °/na,l0naI  tfd"  fOT  *•  promotion 

research  and  education  sciences  and  engineering;  strengthen 

Support  activities  designed  to  increase  +i,„  ..  . 

minorities  and  others  under-  .presented  in 

5.  Other  Organizations 

improve  the  security  of  tttdr*^^l.0r8amZa'i0nS  ^  inV°1Ved  “  efforts  to 
have  submitted  budget  “  ““  «“«  »  Tab.e  6-2, 

cquests  for  Cntteai  Infrastructure  Protection  R&D  funding 

administia^^^nrrA  ^  ^  opemting 

Administtation,  tire  F^m,  In  Tin  "  -»  Federal  Highwa^ 

Research  and  “**»»>  »<*  - 

Transporiation  Systems^  in  cZTT  “  «»  V*»  National 
dedicated  entiling  thl  eTTveneT^’  Voipe  Center  is 

organs  witi,  critical  ttanspottationTS  fa”""  ^ 

Of  security  services  inclui  rT  aT  *?"  ™“fe'  They  offer  a  range 

systems,  disaster  tecovety,  penetration^TT™™5  ^  developrnent'  eertification  of 
reviews.  penetration  testing,  contingency  planning,  and  security 

Aemna„ran“l<^lrr;D(e-8’  »— 

modest  amounts  for  infrastructure  protection  R&TT  °f,US,,Ce)  °ho  have  bud8eted 
upgrades  and  fixes  to  protect  individual  ,  '  SUCh  mvestments  are  for  internal 

are  not  a  significant  source  of  R&D  fundi^T*  ^  *  SySte”S’  **  “  in  Tab'e  W 

c.  THE  ROLE  OF  THE  I3P 

The  foregoing  organizations  and  activities  ^  ,  . 

needs  and  contribute  positively  to  the  accomplishment  of  thel  agency’s’ 

activity  attests  to  the  strength  and  diversity  of  cun-ent  '“immments.  This 

efforts  *  address  the  nations,  infonnation  infrastructure  ^.^T^HowevTT 


6-16 


also  suggests  that  some  duplication  of  effort  and  overlapping  of  functions  is  likely.  Table 
6-4  provides  a  summary  assessment  of  the  adequacy  of  existing  activities  to  meet  key 
national  needs  and  identifies  unmet  roles  that  should  be  filled  by  the  13 P  or  other  means. 

There  is  a  need  to  create  a  national  perspective  on  R&D  requirements  and 
practices.  A  number  of  activities  have  developed  R&D  roadmaps,  which  provide  a  logical 
starting  point.  Current  R&D  activity  needs  to  be  tracked  in  sufficient  scope  and  detail  to 
identify  gaps,  shortfalls,  and  progress  and  thus  establish  priorities.  These  tasks  should  be 
assigned  to  the  I3P.  The  I3P  would  not  actually  set  the  national  agenda  but  would  build 
the  information  base  needed  to  do  so. 

Even  without  a  formal  national  agenda,  it  is  clear  that  there  are  critical  unmet 
needs  for  research  in  certain  areas.  As  indicated  in  Table  6-4,  these  areas  tend  to  fall  into 
the  category  of  basic  or  fundamental  research.  There  are  also  unmet  needs  for  research 
specialized  to  the  designated  critical  sectors,  for  example,  modeling  the  sectors  and  their 
dependencies  and  studying  cascade  effects.  Such  research  is  critical  to  achieving  the 
breakthroughs  necessary  to  protect  the  information  infrastructures  over  the  coming 
decades,  yet  funding  for  basic  research  is  woefully  inadequate  and  likely  to  remain  so 
without  an  initiative  from  the  national  level. 

At  the  product  level,  the  private  sector  has  primary  responsibility.  Hundreds  of 
millions  of  dollars  in  private  R&D  are  driven  by  near-term  security  needs  and  market 
opportunities  (e.g.,  new/expanded  firewalls,  intrusion  detection  devices,  network  security 
software).  In  certain  cases,  government-supported  organizations  should  support  the 
development  and  testing  of  pre-product  prototypes;  for  example,  when  private  companies 
under-invest  in  needed  products  and  technologies  due  to  technical  risks  or  uncertain 
markets.  This  is  a  role  that  DARPA  and  NS  A  have  undertaken  to  meet  some  of  the  needs 
of  government  users.  The  I3P  also  could  fill  gaps  in  pre-product  development,  acting  to 
meet  the  needs  of  all  the  critical  infrastructure  sectors.  Further,  the  I3P  should  actively 
promote  the  transition  of  technologies — wherever  developed — into  the  products  of  the 
information  technology  industry. 


6-17 


Table  6-4.  Assessment  of  Existing  R&D  Activities 


Task 

Existing  Activities 

Assessment  OPRole 

Define  and  study  national 
information  infrastructures  as 
system  of  systems 
(interdependencies) 

1  CIAO,  aided  by  Sandia 
etal. 

Some  sector  mapping 

"  Modest  start;  funding 
shortfalls 

Individual  sectors  only 

Perform  task 
across  all  sectors 

Track  public  and  private  sector 
R&D  programs  to  identify  gaps, 
shortfalls,  and  opportunities 

CICG/CIP  R&D 
IWGNCO/CIC  for  federal 
programs 

DoD/NSA/INFOSEC 
Research  Council  for 
selected  agencies 

Some  private  sector 
participation  (gaps  and 
shortfalls  addressed 
weakly) 

Federal  R&D  only 

DoD  R&D  only 

Perform  task 
across  all  sectors 

Support  development  of 
national  R&D  agenda  for 
protection  of  information 
infrastructures  of  critical  sectors 

Roadmap  studies  for 
PCCIP 

No  thorough  ongoing 
effort 

Support 
responsible 
national  or 
government  body 

Establish  scientific  basis  for  IA, 
formal  methods  and  high 
assurance  approaches 

Individual  agencies  and 
private  sector  firms  each 
addressing  some 
aspects 

Focus  on  individual 
agency/company  needs; 
no  broad-based  national 
efforts 

Selectively  fill  ? 
gaps  and 
shortfalls 

Develop  engineering  principles, 
standards  and  metrics  for 
product  evaluation  benchmarks 
and  tools 

NIST,  NSA,  NIAP 

Private  sector 
associations/consortia 

NIAP  R&D  budget 
limited,  others  tend  to 
concentrate  on 
government  needs 

Limited  effort,  not 
always  thorough 

Selectively  fill 
gaps  and 
shortfalls 

Develop  systematic  methods  to 
analyze  cascade  effects  on 
interdependent  systems 

Some  sector-specific 
studies 

Methodology  and  scope 
limited 

Selectively  fill 
gaps  and 
shortfalls 

Build  modeling  and  simulation 
capabilities  across  key 
infrastructure  sectors 

CIAO,  aided  by  DOE 
labs 

Private  industry  by 
sector  needs 

Modest  start 

Focus  on  individual 
sectors  only 

Selectively  fill 
gaps  and 
shortfalls 

Prototype/test  pre-product 
technologies  for  end-to-end 
trustworthy  networked  systems 

Most  government  and 
industry  entities 

No  systematic 
coordination  and 
integration  across 
sectors  or  agencies 
(some  exceptions  in 

DoD) 

Selectively  fill 
gaps  and 
shortfalls 

Promote  technology  transition 

CICG  CIP  R&D  IWG 

DoD  (DARPA,  NSA, 
Services) 

Results  not  identified 

Transfer  outside  DoD 
uncertain 

Area  of  emphasis 

Develop  products 

Private  industry 

NSA 

Dynamic  growth  but 
security  inadequate 

Limited  to  few 
government  needs 

No  role 

6-18 


Potential  tasks  for  a  new  R&D  organization  are  summarized  in  Table  6-5.  These 
are  tasks  in  which  there  is  a  public  interest  that  is  not  being  met  by  market  forces.  The 
topics  emphasize  basic  and  specialized  research  necessary  to  meet  long-term  protection 
needs.  The  development  of  specific  products,  with  few  exceptions,  will  be  accomplished 
by  the  information  technology  industry.4 

Table  6-5.  Needed  R&D  Functional  Tasks 


•  Support  development  and  integration  of  national  strategy 

-  Define  and  study  national  information  infrastructures  as  an  end-to-end  system  of  systems 
in  order  to  understand  priorities,  linkages,  dependencies,  vulnerabilities,  and  risks 

-  Track  public  and  private  sector  R&D  programs  to  identify  gaps,  shortfalls,  and  technical 
opportunities  (see  information  sharing  discussion  in  Chapter  VII) 

-  Support  the  development  of  a  national  R&D  agenda  aimed  at  protecting  the  information 
infrastructures  of  the  critical  sectors  against  catastrophic  disruptions  caused  by  major, 
coordinated  attacks 

-  Sponsor  assessments  to  characterize  strategic  cyber  threats  capable  of  imposing 
national-level  consequences;  use  classified  all-source  data  from  existing  intelligence 
sources 

•  Coordinate  and  sponsor  R&D  to  fill  gaps  and  shortfalls  in  key  areas  such  as: 

Establishing  a  scientific  basis  for  information  assurance 

-  Developing  engineering  principles,  standards,  and  metrics  to  provide  product  evaluation 
benchmarks  and  tools  (see  product  evaluation  discussion  in  Chapter  VIII) 

Developing  systematic  methods  to  analyze  cascade  effects  on  interdependent  systems 

-  Building  needed  modeling  and  simulation  capabilities  in  and  across  key  infrastructure 
sectors 

-  Prototyping  and  testing  pre-product  technologies  for  end-to-end  trustworthy  networked 
information  systems 

-  Promoting  the  transition  of  existing  and  future  technologies _ 


D.  EXTERNAL  RELATIONSHIPS 


To  perform  the  tasks  described  above,  the  I3P  or  other  organizations  would  need 
effective  working  relationships  with  a  broad  set  of  partners.  Part  IV  below  discusses 
alternative  organizational  models  for  accomplishing  the  R&D  tasks.  The  present  section 
briefly  describes  the  necessary  external  relationships. 

Most  importantly,  any  new  R&D  organization  must  work  closely  with  the 
companies  that  constitute  and  operate  the  critical  infrastructure  sectors.  Ultimately,  the 


4  One  exception  would  be  a  product  needed  by  the  government  for  which  there  was  insufficient  demand  to 
justify  commercial  development. 


6-19 


protection  needs  of  these  companies  must  define  and  shape  the  R&D  agenda.  Moreover, 
much  of  the  research  outlined  above  is  impossible  unless  these  companies  provide 
sensitive  information  about  their  operations  and  vulnerabilities.  The  IDA  interviews 
confirmed  that  these  companies  hesitate  to  share  such  information  because  its  disclosure 
could  damage  their  reputations  or  aid  attackers  in  identifying  vulnerabilities.  They 
particularly  hesitate  to  share  such  information  with  the  government  for  fear  that  it  will 
lead  to  increased  regulation  of  their  activities. 

At  the  same  time,  the  new  R&D  organization  must  work  effectively  with  the 
government,  which  is  responsible  for  defining  the  national  security  and  public  safety 
objectives  that  would  comprise  its  overarching  mission.  This  requires  the  trust  of  the 
government,  which  is  the  primaiy  source  of  the  threat  information  needed  to  inform  and 
prioritize  the  R&D  program,  and  some  elements  would  require  access  to  classified 
information.  Interviews  for  the  present  study  indicate  that  the  government  will  be 
extremely  cautious  in  sharing  such  information,  but  detailed  access  to  ongoing 
government-sponsored  R&D  projects  will  be  essential  for  the  creation  of  an  R&D  agenda. 

Finally,  a  new  R&D  organization  will  need  to  build  collaborative  relationships 
with  R&D  providers  such  as  universities,  national  laboratories,  and  the  information 
technology  industry.  It  must  work  closely  with  them  to  track  ongoing  R&D  and  support 
the  development  of  a  meaningful  national  R&D  agenda.  Moreover,  it  must  be  able  to 
bring  them  together  to  collaborate  in  performing  needed  research.  Trust  would  be 
especially  important  in  facilitating  the  transition  of  technologies  into  the  products  of  the 
extremely  competitive  information  technology  industry.  Research  providers  contacted 
during  the  IDA  study  expressed  a  willingness  to  commit  expertise  provided  that  the 
complicated  intellectual  property  issues  involved  could  be  worked  out  to  everyone’s 
satisfaction.  Those  in  the  private  sector,  however,  were  wary  of  an  expanded  government 
role  in  conducting,  as  opposed  to  sponsoring,  research. 


6-20 


Chapter  7 

INFORMATION  SHARING 

Information  sharing  would  be  a  major  activity  of  the  proposed  I3P.  It  is  an 
essential  enabler  for  the  organization’s  other  tasks  in  the  R&D,  product  and  services 
evaluation,  and  education  and  training  areas  as  well  as  an  important  function  in  its  own 
right.  This  function  is  a  valuable  service  that  could  increase  the  effectiveness  of  all 
organizations  involved  in  protecting  the  information  systems  of  die  critical  infrastructure 
sectors.  What  is  contemplated  here  is  not  an  operational  role  in  monitoring  computer 
intrusion  and  response  incidents,  a  task  being  addressed  by  a  number  of  organizations. 
Rather,  the  I3P  would  have  a  longer-term  perspective,  concentrating  on  information 
needed  for  study  and  understanding. 

A.  NEED  FOR  INFORMATION  SHARING  FUNCTION 

1.  Background 

One  of  the  principal  observations  outlined  in  the  PCAST  proposal  and  validated 
during  our  interviews  is  that  R&D  information  related  to  protecting  the  national 
information  infrastructures  is  not  being  shared  effectively.  Although  there  is  a  wealth  of 
activity  and  resultant  data  available  within  industry,  academia,  and  government,  it  is,  by 
and  large,  not  being  exchanged  within  or  between  those  sectors.  In  consequence,  there  is 
duplication  of  effort  in  some  areas,  and  little  if  any  effort  in  other  areas.  The  problem, 
especially  lack  of  effort,  is  most  pronounced  for  the  area  of  cross-sector,  system-of- 
systems,  cascading  effects  within  complex  networks,  but  it  is  also  apparent  for  other 
subjects  such  as  standard  setting,  best  practices,  technology  transfer,  vulnerabilities, 
threats,  countermeasures,  security  evaluation,  training,  and  policy  development. 

That  information  is  not  being  shared  is  not  surprising.  Within  industry, 
collaboration  is  not  a  natural  mode  of  operations  and  may  violate  antitrust  laws. 
Corporations  are  generally  hesitant  to  share  information  related  to  R&D  that  might  be  of 
value  to  competitors  and  could  threaten  market  share.  Government  is  hindered  because 
industry  is  not  inclined  to  provide  information  regarding  security  weaknesses  for  fear  it 


7-1 


could  result  in  regulation,  investigation,  or  litigation.  And  universities,  while  typically 
willing  to  share  information,  currently  have  no  good  forum  for  doing  so;  moreover,  their 
information  is  limited  by  the  fact  that  information  assurance  is  only  now  beginning  to  be 
treated  as  a  full-fledged  academic  discipline.  Despite  these  impediments,  there  is 
widespread  agreement  among  those  interviewed  for  this  study  that  the  security  of  our 
national  information  infrastructure  depends  on  improving  the  sharing  of  information. 

2.  Information  Sharing  Tasks 

The  information  sharing  function  would  involve  a  number  of  tasks,  principal 
among  which  is  creation  of  a  clearinghouse  to  facilitate  the  exchange  of  information 
among  industry,  academia  and  government.  This  clearinghouse  must  be  perceived  as  a 
neutral,  non-threatening  and  secure  environment  that  encourages  coordination  and 
cooperation  and  in  which  information  can  be  exchanged  with  freedom  and  confidence.  It 
would  inform  researchers  of  lessons  already  learned  so  they  could  apply  those  lessons  to 
new  research  and  development.  It  would  provide  a  place  where  industries  could  go  to 
find  strategies,  policies,  and  procedures  that  have  been  successful  in  helping  other 
industries  defend  their  infrastructures.  Information  would  be  available  on  these  and  a 

variety  of  other  information  security  subjects,  to  include  threats,  vulnerabilities,  and 
countermeasures . 

The  function  would  involve  active  efforts  to  collect  information.  The  resulting 
products  would  be  screened  and  sanitized  to  ensure  that  sensitive,  proprietary,  and 
classified  data  is  protected.  I3P  staff  would  determine  the  data  to  be  protected,  and 
information  would  then  be  organized  and  stored  in  a  safe  repository  and  made  available 
via  secure  automated  tools  in  accordance  with  a  well-defined  set  of  rules. 

Another  task  would  be  to  coordinate  across  sectors  and  technologies  to  identify 
deficiencies  and  highlight  subjects  where  R&D  and  other  corrective  actions  are  needed. 
An  example  might  be  sponsoring  a  collaborative  analysis  of  the  effects  upon  the 
transportation  infrastructure  of  a  cyber  attack  on  the  telecommunication  infrastructure. 
The  goal  would  be  to  identify  cascading  effects  and  point  out  to  the  R&D  community 
where  improved  tools,  policies,  procedures,  or  standards  are  needed  to  enhance 
deterrence,  detection,  response  and  recovery.  The  information  sharing  function  and 
associated  tasks  are  summarized  in  table  7-1 . 


7-2 


Table  7-1.  Needed  Information  Sharing  Functional  Tasks 

Provide  clearinghouse  to  facilitate  two-way  sharing  of  information 

Collect,  sanitize,  analyze,  evaluate,  archive,  and  disseminate  information 

Coordinate  across  sectors  and  technologies  to  identify  common  deficiencies  and  highlight 
areas  where  R&D  or  other  corrective  action  is  needed 


B.  EXISTING  INFORMATION  SHARING  ACTIVITIES 

Several  organizations  play  a  role  in  information  sharing  today,  and  we  must 
determine  whether  one  of  them  might  be  able  to  assume  responsibility  for  the  overall 
function.  Principal  among  them  are  the  National  Infrastructure  Protection  Center  (NIPC), 
the  Financial  Services  Information  Sharing  and  Analysis  Center  (FS/ISAC),  and  the 
National  Security  Telecommunication  Advisory  Committee's  National  Security 
Information  Exchange  (NSTAC  NSIE).  It  also  should  be  noted  that  the  Computer 
Emergency  Response  Team  Coordination  Center  (CERT/CC)  exists  for  the  purpose  of 
sharing  information  related  to  infrastructure  protection.  Its  focus,  however,  is  on 
coordinating  immediate  response  to  intrusions  and  attacks  against  specific  networks 
rather  than  on  sharing  information  related  to  the  broader  and  longer-term  aspects  of 
infrastructure  protection. 

The  NIPC  is  operated  by  the  Federal  Bureau  of  Investigation  and  staffed  by 
personnel  from  several  federal  agencies,  including  the  Department  of  Defense.  While 
well  positioned  to  deal  with  federal  issues,  this  is  a  government  organization  tied  to  law 
enforcement,  and  industry  has  reservations  about  sharing  information  with  such  an  entity. 
Also,  the  government  connection  may  breed  fear  of  regulation  and  create  potential  legal 
issues  related  to  the  Freedom  of  Information  Act  (FOLA).  An  additional  concern  is  that 
the  NIPC  is  primarily  oriented  toward  investigation  and  operations;  that  is,  solving 
computer  crimes,  rather  than  toward  R&D  and  other  aspects  of  information  sharing. 
Finally  there  has  been  little  interaction  to  date  between  the  NIPC  and  the  academic  sector. 

As  envisioned  by  PDD-63,  a  single  ISAC  would  be  created  for  the  purpose  of 
sharing  information  among  all  industries  and  infrastructures  within  the  private  sector. 
Such  a  body,  if  created,  would  probably  be  able  to  perform  the  function  described  in  this 
paper;  however,  efforts  thus  far  to  create  ISACs  have  focused  entirely  on  one  specific 
industry  or  infrastructure.  The  only  ISAC  actually  established  is  for  financial  services  (the 
FS/ISAC).  It  is  operated  by  a  contractor,  has  limited  government  and  academic 
involvement,  and,  having  just  been  activated,  has  yet  to  be  fully  tested.  Some  discussion 


7-3 


is  also  taking  place  regarding  a  telecommunication  and  information  sector  ISAC,  but  no 
center  has  actually  been  established.  There  are  indications  that  if  one  is  developed,  it 
might  be  built  upon  the  existing  NSTAC  NSIE. 

The  NSTAC  NSIE  consists  of  two  subcommittees,  one  composed  of 
representatives  from  nine  telecommunication  and  information  technology  companies,  and 
the  other  from  nine  government  agencies.  The  subcommittees  hold  joint  meetings  lasting 
roughly  a  day  and  a  half  every  other  month  to  share  information  on  recent  intrusions, 
viruses,  and  other  threats  experienced  by  member  organizations.  The  NSIE  does  provide 
a  forum  for  sharing  information  among  industry  and  government,  and  to  a  certain  extent 
academia.  (The  CERT/CC,  associated  with  the  Software  Engineering  Institute  (SEI)  at 
Camegie-Mellon  University,  attends  as  a  guest).  However,  its  effectiveness  in 
performing  the  overall  function  would  probably  be  limited  by  the  fact  that  it  is  not  a 
standing  organization  staffed  by  a  significant  number  of  full-time  personnel.  In  addition, 
its  focus  is  rather  narrow,  concentrating  on  operational  response  to  threats,  and 
vulnerabilities  to  individual  member  companies  and  agencies.1 

As  indicated  in  the  foregoing  discussion,  while  there  are  several  organizations  that 
perform  various  aspects  of  information  sharing,  none  seems  suitable  for  performing  all 
the  tasks  outlined  above.  Our  findings,  summarized  in  Table  7-2,  lead  us  to  conclude  that 
a  new  entity  is  needed— one  that  takes  an  overarching  view,  looking  across  sectors  and 
technologies  and  concentrating  on  R&D,  system-of-systems  effects,  and  broader  aspects 
of  information  assurance  such  as  policy  development. 


1  ^  11STJAC  ltself  has  conducted  a  number  of  broader  studies  of  the  vulnerabilities  of  particular 

infrastructure  sectors.  H 


7-4 


Table  7-2.  Assessment  of  Existing  Information  Sharing  Activities 


Task 

Existing  Activities 

Assessment 

I3P  Role 

Provide  clearinghouse 
and  facilitate  sharing  of 
information  among 
industry,  academia,  and 
government 

NIPC 

Government  agency 
closely  connected  with 
law  enforcement. 

Industry  may  not  be 
inclined  to  share 
information.  Focuses  on 
operations  versus  R&D. 
Little  academic 
involvement. 

Provide  a  neutral,  non¬ 
threatening  venue. 
Facilitate  coordination 
and  communication 
across  and  within 
sectors. 

FS/ISAC 

Focuses  on  financial 
services  sector  only. 
Limited  government  and 
academic  involvement. 

NSTAC  NSIE 

Shares  information  but 
focuses  on  operational 
response  versus 
R&D.Meets  only 
periodically .  Limited 
academic  involvement. 

CERT/CC 

FFRDC,  but  private 
institution;  info  exchange 
for  government, 
industry,  and  academia 

Collect,  sanitize, 
analyze,  evaluate, 
archive,  and 
disseminate  information 

NIPC 

FS/ISAC 

Limited  ability  to  collect 
information  from  private 
sector.  Focus  is  on 
operations  versus  R&D. 

Only  handles 
information  within 
sector.  Not  connected 
with  government.  Newly 
formed;  effectiveness 
not  determined. 

Conduct  active 
information  gathering; 
consolidate  into  library 
and  databases; 
disseminate  information; 
protect  sensitive 
information  and  sources. 

NSTAC  NSIE 

Collects  and  archives 
very  limited  amount  of 
information.  Not  staffed 
for  analysis  and 
evaluation. 

CERT/CC 

Focus  on  coordinating 
response  and 
disseminating 
information  related  to 
computer  intrusion 
rather  than  on  R&D. 

Continued 


7-5 


Table  7-2. 

Coordinate  across 
sectors  and 
technologies  to  identity 
common  deficiencies 
and  highlight  areas 
where  R&D  and  other 
corrective  action  is 
needed 


(Corn’d) 


fs/isac 
nstac  nsie 


CERT/CC 


findings  to  attention  of 
Focused  only  on  R&D  and  other 

financial  sector.  organizations. 

Focuses  on  specific 
threats  and 
vulnerabilities  of 
member  companies  and 
agencies. 

I  £*?.s®,y  associated  with 

ma8'""'"'  | 


c.  THE  ROLE  OF  THE  I3P 

academia  and  government  ^  '<”****, 

threatening,  mutually  supportive  orttlw  ^  by  creatin8  «  neutral,  non¬ 
workshops,  symposia  and  other  forums  and  "  2  WOuld’  “"“S  ol^r  things,  sponsor 
apprising  members  of  one  2  ^  ^  «"**  * 

would  act  as  a  central  source,  in  essence,  a  clcarin^touse^r  informtrtion^16  """ 

—2 :  ra^r^r  “r e  r- — *  *°  — * — 

sources.  AH  tiaditiona,  infonTon el  ^  ““  *reign 

web  and  literatine  searches,  interviews  Id  Irf  !  ^  to  «»** 

should  be  placed  on  acquiring  information  2,  T  ga,heri”8s-  Specific  emphasis 
service  evaluation,  and  tiail^ 2  ^  >“**  «* 

infrastructure  protection  would  be  of  interest.  “  wllf  1‘  <0P‘CS  ”***  ‘°  infomat“n 
should  be  obtained  pertaining  to  current  •  °  6  &rea  of  R&D>  information 

methodologies,  and  results.  Particular  attenf^h  T*  ^  Partlcipants’  g°als,  tools, 
cross-sector,  system-of-system  effects.  In  addY §  ^  f  ^  ^  ^  that  address 
policies,  laws,  and  standards  and  how  they  affecTthe'  shou,d  be  S^ered  on 

aspects  of  information  assurance,  such  as  threat  .  °™atl°n  Structure.  Other 
should  also  be  pursued.  ’  Wnerabllltles  and  countermeasures, 


7-6 


The  I3P  would  need  to  be  especially  careful  in  handling  data  and  scrupulous  in  its 
sanitization  efforts.  It  must  be  acutely  aware  of  the  sensitive  nature  of  much  of  the 
information  and  must  be  able  to  guarantee  the  confidentiality  of  its  sources.  The 
organization  should  also  have  classification  authority  and  a  well-documented  set  of 
procedures  for  dealing  with  proprietary  and  classified  information.  Binding  non¬ 
disclosure  agreements  and  government  security  clearances  would  probably  be  required. 

The  I3P  would  need  to  be  populated  with  respected  experts  who  could  analyze 
and  evaluate  the  raw  information  collected.  With  its  broad  view  across  sectors  and 
technologies,  the  group  would  examine  information,  looking  for  common  threads  and 
patterns.  It  might,  for  example,  look  for  the  most  pervasive  vulnerabilities,  or  those 
vulnerabilities  having  the  greatest  consequences,  to  suggest  areas  in  which  R&D  efforts 
should  be  focused. 

The  I3P  would  build  and  maintain  a  repository  of  information.  This  would 
involve  integrating,  organizing,  and  archiving  information.  It  would  include  developing 
and  maintaining  databases,  catalogues  and  baselines,  including  a  list  of  subject-matter 
experts  and  a  lessons-leamed  library. 

Coordination  among  participants  should  be  continuous.  This  would  require  a 
means  of  secure  and  efficient  communications,  ideally  a  collaborative  tool  that  employs 
web  technology  to  facilitate  information  dissemination,  assign  and  track  projects,  monitor 
program  events  and  schedules,  provide  e-mail  notification  when  new  information 
becomes  available,  and  offer  access  and  search  capabilities  for  the  information  repository. 

D.  EXTERNAL  RELATIONSHIPS 

The  I3P  must  establish  liaison  with,  track  the  activities  of,  and  gather  information 
from  external  organizations  performing  related  work.  This  is  essential  to  avoid 
duplication  and  conflict  and  to  optimize  efforts.  External  groups  of  primary  interest 
include  the  NIPC  and  others  discussed  above  as  well  as  the  following: 

•  Industry  consortia,  associations,  and  committees,  such  as 

-  Information  Technology  Association  of  America  (IT AA) 

-  Telecommunications  Industry  Association  (TIA) 

-  U  S.  Telephone  Association  (USTA) 

-  Electric  Power  Research  Institute  (EPRI) 


7-7 


•  National  security  committees,  including 

'  SSZSSt-**- and  Mormation  System  Securi,y 
■  ^Z^S)^CS)  Co“ons 

•  University  research  organizations 

•  National  Academy  of  Sciences 

•  Government  research  organizations,  including 

-  National  and  DoD  Labs 

-  National  Security  Agency 

Defense  Advanced  Research  Projects  Agency 
National  Science  Foundation 

National  Institute  of  Standards  and  Technology 
"  C^ZLc2’o“n  0ffiCe  &r 

-  Information  Assurance  Technology  Analysis  Center 

t^J/CC  C°°rdina,ion  Cento  and  other  computer  emergency  response 

'  d'Cated  at  ^eSinuing  of  this  chapter,  while  there  is  a  wealth  of  activity 
re  aw  protecting  the  information  i„frashoc,ure,  ^  ^  * 

no,  IdZs  V  T  i0n'  ^  3  reS,,1,■  ^  ^  ,argdy  nnaoordinated  and  do 

exis^fo  f"  Cr°5S'SeCt0r  C°nCemS-  Fnrthannore,  while  a  number  of 

stag  orgamzatrons  are  involved  in  information  sharing  to  some  extent  non  • 

performing  all  necessruy  tashs.  In  conclusion,  then,  a  new  erniC  is  LL  l  ZC 

road  perspective,  excellent  professional  credibility,  well-established  ties  wift  all  sectors 

i  t*  ?  c°“*  » - — 

that  the  I3P,  properly  desrgned  and  staffed,  would  be  able  to  fill  this  role. 


7-8 


Chapter  8 

PRODUCT  AND  SERVICES  EVALUATION 


Evaluating  products  and  services  would  be  a  principal  subject  area  addressed  by 
the  I3P.  The  goal  would  be  to  identify,  support,  and  recommend  evaluation  services  that 
meet  die  needs  of  critical  infrastructure  sectors.  For  the  most  part,  evaluation  services 
themselves  would  be  performed  by  organizations  other  than  the  I3P .  As  discussed  in  the 
previous  two  chapters,  this  subject  area  would  include  important  R&D  and  information 
sharing  activities. 

Terminology  in  this  area  is  fluid  but  it  is  important  to  distinguish  certain  concepts. 
The  words  “testing”  and  “evaluating”  will  be  used  interchangeably  in  this  chapter  to 
denote  the  basic  activity  of  testing  a  product  or  service  against  specified  evaluation 
criteria,  which  may  be  based  on  formal  standards,  accepted  benchmarks,  or  ad  hoc 
specifications.  A  distinct  activity,  validation  or  certification  of  the  test  results  may  raise 
credibility  if  done  by  an  authoritative  third  party.  Another  credibility-enhancing  activity  is 
die  accreditation  or  certification  of  the  testing  organization  or  its  professionals.  In 
practice,  many  if  not  most  evaluations  are  performed  by  unaccredited  organizations  and 
the  results  are  not  separately  validated. 

In  the  following  discussion,  terms  such  as  “standard,”  “benchmark,”  and  “best 
practice”  are  used  to  describe  variants  of  the  concept,  “this  is  ok.”  Generally,  “standard,” 
at  the  beginning  of  the  list,  connotes  die  most  formality  and  implies  something  obligatory, 
whether  government-specified  or  market-driven  or  voluntary.  At  the  other  end,  best 
practice”  connotes  informal  information,  the  use  of  which  is  discretionary;  that  is,  it  is  not 
really  a  standard  at  all.  The  discussion  also  encompasses  the  different  “branches”  of 
information  assurance,  including  both  security  products  and  the  security  aspects  of  (a) 
broader-purpose  information  technology  products  and  (b)  systems  and  networks,  both 
new  and  deployed.  We  also  address  professional  services  organizations,  information 
assurance  professionals,  and  information  assurance  education. 


8-1 


A. 

needs  ^  "  i—*-  *  —  «* 

measures  to  improve  these  services.  HoweT/thereTiT^  ^  ^  8e”erally  SUPPOrt 
done  to  develop  better  standards  to  support  more^ffil^ve^^uations,  ^  s*10u*<^  ^ 

1*  PCAST  Proposal 

and  wouId  include  woric  in  component 

evaluation.  The  PCAST  also  proposed  mJ  h"*  practices  **  Product 

government  and  indushy  and  draw  up^n  "“7“  T*  * 

Others,  of  setting  and  disseminating  best  practice  '  f  T*  *”  ^  pmposes’  among 
exercises  and  inspections  to  certify  performance.  0Imatl0n  ^  "*  ‘"“"S 

2.  Phase  1  Results 

I"  IDA’s  Phase  1  interviews  and  workshon  th„, 
suggestions  to  the  effect  that  new  or  strength  s'  a  6  WerC  2  s*®mHcant  number  of 
products  and  sendees,  including  expanded  C‘i°nS  “*  ”eeded  in  evaluating 

performance.  The  notion  of  an  “Underwriters  t  l,"^  a”d  inspections  to  certify 
name  up  on  a  number  of  occasions ^7“  ^  ** 
generally  for  standards  for  “» 

management  was  suggested  by  some  interviewees.  ““ 

the  general  thrust  of  the  PCAST  rpm  ,  .  e  ^ase  *  results  reinforced 

evaluation.  ^  in  tire  aroa  of  product  and  services 

3.  Phase  2  Results 

comments  from  a  dozen  ^  ^  and  “nsultants,  assisted  by 

what  proved  to  be  a  lively  discussion  of  product  ZdT^'  mCM°tteTS’  prepared  for 
eettrng  m  a  workshop  held  in  September  1 990  a  eValua,10n  “<1  standards 

for  a  product  and  services  evaluator  developed  h  0”prehensivc  ** of  d«irable  criteria 
on  Table  8-1 .  a'°r’  deVe'0ped  ^  2  working  group,  is  provided 


8-2 


Table  8-1.  Desiderata  for  a  Product  and  Service  Evaluator 


A.  Applies  standards  that  are  from  recognized  standards  organizations  or  self-developed  using  credible 
and  appropriate  processes.  Because  of  the  pace  of  change  in  information  technology,  evaluation  may 
well  occur  long  before  formal  standards  can  be  agreed  to  and  issued.  Therefore,  test  methods  and 
criteria  are  often  created  ad  hoc  by  the  evaluator  and/or  vendors;  in  such  cases  a  credible  process  is 
needed  that  reflects  the  interests  of  the  end  users  and  not  just  the  vendors. 

B.  Operates  “transparently”  Processes,  procedures— and  perhaps  some  or  all  test  results— are  available 
for  independent  review.  This  does  not  mean  the  evaluator  should  broadcast  the  fact  that  a  product  or 
service  fails  or  the  reason  it  fails.  Also,  as  addressed  below,  proprietary  information  must  be  protected. 
The  underlying  goal  is  that  users  and  vendors  have  confidence  in  the  evaluator’s  processes  and 
results. 

C.  Is  financially  and  organizationally  independent  from  vendors  whose  products  and  services  are 
evaluated.  It  may  not  be  feasible  for  the  evaluator  to  be  completely  independent  in  this  sense. 
Complete  financial  independence  (“we  accept  no  advertising...”)  is  important  in  the  consumer 
environment,  but  less  so  in  a  business-to-business  context.  The  government,  as  a  customer,  has  been 
willing  to  pay  for  product  certification.  Commercial  customers  have  expected  vendors  to  pay  to  have 
their  products  evaluated  by  a  third  party  that  is  organizationally  independent  from  the  vendors. 
Organizational  independence  includes  the  concept  that  there  must  be  protection  from  political 
interference  of  various  kinds.  Political  considerations  should  not  affect  the  evaluator’s  processes  or 
threaten  its  funding  or  continued  existence. 

D.  Is  objective  Objectivity  may,  in  fact,  be  more  important  than  independence.  At  minimum,  if  there  are 
biases  or  conflicts  of  interest,  they  must  be  identified  and  disclosed.  Beyond  this,  what  makes  an 
evaluator  non-objective  and  what  constitutes  a  conflict  of  interest  is  less  clear.  Some  product 
evaluators  claim  objectivity  since  they  (and  their  affiliated  companies)  do  not  make  the  kinds  of 
products  being  evaluated.  However,  they  may  provide  security  consultant  services  or  publish  trade 
magazines.  At  the  same  time  they  have  to  maintain  a  reputation  for  objectivity  in  order  to  sell  their 
certification  service.  Therefore,  what  assurances  of  objectivity  will  be  required  to  engender  trust  of  the 
evaluator  among  both  customers  and  vendors  remains  unclear. 

E.  Js  well  qualified  This  is  generally  concluded  based  on  the  evaluator  being  accredited  by  an  oversight 
entity.  In  the  case  of  NIAP,  described  in  Section  B1  of  this  chapter,  this  is  augmented  by  having  a 
second  entity  validate  the  evaluator’s  work. 

F.  Protects  sensitive  proprietary  information  Appropriate  protections  must  be  in  place  and  respected.  The 
evaluator  should  have  clear-cut  and  well  defined  practices  that  are  available  to  developers  and  users. 
Protections  must  be  strictly  applied  and  breaches— should  they  ever  happen — should  be  dealt  with 
openly.  Moreover,  the  “supplier”  community  must  be  comfortable  with  the  organization  and  its 
information  protection  arrangements.  This  could  be  difficult.  Not  only  must  the  organization  be  trusted, 
but  the  evaluator’s  employees  may  be  subject  to  restrictions  on  future  employment  because  of  their 
access  to  such  information.  Access  to  “the  best  and  the  brightest”  may  suffer. 

G.  Has  the  respect  of  the  relevant  community  Both  customers  and  vendors  must  be  willing  to  entrust 
evaluation  to  the  evaluator  and  to  accept  its  methods  and  conclusions.  This  respect  will  probably  come 
from  the  evaluator  having  all  of  the  necessary  characteristics  discussed  here.  The  evaluator  may  be  a 
government  organization  if  and  only  if  all  other  characteristics  are  assured;  freedom  from  political 
interference  and  independent  funding  may  be  the  stumbling  blocks  here. 

H.  Role  must  be  appropriate  to  the  organization’s  mission  A  multi-functional  organization  can  perform 
evaluations  if  that  is  consistent  with  the  other  parts  of  its  mission.  An  organization  whose  only  function 
is  to  evaluate  may  be  preferable. 


The  product  and  services  evaluation  function  turned  out  to  be  quite  complex.  It 
would  be  wrong  to  say  we  have  detailed  knowledge  of  what  is  going  on  across  all 
branches  of  information  assurance  and  all  infrastructure  sectors.  We  know  enough  to  say 
for  sure  that  activity  is  very  uneven,  and  more  to  the  point,  to  say  that  no  one  has  a  clear 
picture  of  the  totality  of  on-going  and  planned  activities.  In  1999  the  evaluation  and 


8-3 


standards  setting  area  was  a  fermenting  pot.  However,  in  the  course  of  this  work  it 
became  clear  that  the  Actions  BP  would  perfom,  in  this  area  were  quite  circumscribe 
perhaps  best  summartzed  as  harmonizing,  facilitating,  and  gap  filling 

function?'!  T  n°rfdiST  ‘°  ""  ^  'hat  ,eSti“*  »d  ^nation  are  appropriate 
tocttons  to  be  perforated  across  all  branches  of  information  assurance  and  all 

astructure  sectors.  However,  evaluations  necessarily  involve  using  test  criteria  of 

some  kind  and  the  proper  nature  and  source  of  these  criteria  are  not  gell  to 

P  tctoar,  there  is  no  consensus  that  formal  standards  am  required.  A  general  standard 

,54°8)'  ^eloped  to  guide  toe  definition  and 

be  seen  how  ""  '  g0V“led  and  i,  remains  to 

y  will  be  accepted  for  commercial  evaluations  Perhans  ewn  mn™ 

zr  “  •*  “  <•*.  * 

security,  reliability,  safety,  etc.  Relative^  """? 

fOTr“8  ^  ,hat  3  Pr°dUCt  -lua, ionics  a^o 

rrrr:  ?  ^ 

r  ^  * 

international  srandard^ifirnTff-t0”  nati0nal  ^ed  - 

protocols.  Reportedly,  Microsoft  had  chaneed  its  -  ^  batt,mg  over  instant  messaging 

June  and  September  1999  to  exploit  “bad^dwrs”  KoL' wT  m°re  3  dozen^ times  betwee“ 
prevent  the  2  million  users  of  Microsoft's  neS  frl  1  V  m  38  AOL  so^  repeatedly  to 
AOL  users.  An  ad  hoc  open  standard  working  group  meetinJ^T  ?eSSageS  t0  *e  17  Million 
would  allow  open  instant  messaging  among  Internet  savice  ptwidw^*  ^ 


type  of  product,  thereby  avoiding  the  complications  of  meeting  different  standards  for 
different  sectors.  More  than  most  people,  academics  and  research  scientists  realize  that 
fundamental  questions  remain  to  be  answered  before  solutions  can  be  promulgated  on 
which  broadly  applicable— and,  especially,  quantitative — standards  can  be  based  for 
testing  products,  systems,  and  networks.  Such  professionals — those  in  academia  more 
than  those  in  private  or  government  research  establishments — are  constitutionally  averse 
to  piecemeal  solutions  of  any  sort,  standards  to  address  this  or  that  specific 
interoperability  problem  included.  Finally,  researchers  are  especially  sensitive  to  the  fact 
that  information  technology  may  develop  in  a  quite  unexpected  direction  at  any  time.  To 
be  able  to  respond  to  the  unexpected,  they  would  veiy  much  prefer  to  do  their  research 
without  being  encumbered  by  any  limitation. 

Virtually  all  parties  in  the  private  sector  share  an  aversion  to  government 
involvement  in  their  businesses.  The  evidence  collected  in  this  study  suggests  that 
government  involvement  in  standards  setting  is  often  viewed  as  too  close  to  government 
regulation  for  comfort.  In  sum,  efforts  to  develop  standards  are  highly  controversial  and 
there  is  no  consensus  on  what  more  should  be  done  in  this  area.  However,  there  is  a 
recognition  that  gathering  and  disseminating  information  on  best  practices  is  a  useful 
function.  There  is  a  clear  need  to  look  across  the  activities,  for  example,  of  states  that 
license  information  assurance  professionals,  academic  accreditation  bodies,  and  various 
product,  system  and  network  evaluators  to  share  knowledge  on  “what  works”  and  point 
out  inconsistencies,  especially  those  that  have  the  potential  for  creating  vulnerabilities. 

B.  EXISTING  ACTIVITIES 

Product  and  services  evaluation  spans  a  wide  range  of  activities  involving  many 
different  organizations.  A  number  of  important  activities  and  organizations  are  only  now 
emerging,  thanks  to  the  increasing  concern  for  information  assurance.  This  section 
provides  concrete  examples  of  the  work  that  is  being  done. 

1.  U.S.  Government 

The  most  stringent  product  evaluation  program  has  been  operated  by  the  Defense 
Department’s  National  Security  Agency  (NSA).  Under  its  Trusted  Product  Evaluation 
Program  (TPEP),  NSA  previously  conducted  all  trusted  product  evaluations  in-house. 
Under  a  more  recent  program,  the  Trust  Technology  Assessment  Program  (TTAP),  NSA 
allows  designated  commercial  laboratories  to  evaluate  products  at  specified  levels  of 


8-5 


trust  NSA  validates  each  evaluation  and  publishes  an  Evaluated  Products  List  NSA 

i*1 z zc  :rr  *  ?  g°v— ■  ^ 

some  cases,  by  vendors  "  *  «■  and,  in 

The  Commerce  Department’s  National  Institute  of  Standards  and  Technology 

WbJ  rT  *  OtiBt0mati0a  technoI<®'  P">*>cts  for  confonnance  with  Fede^ 

Information  Processing  Standards  (FIPS).  For  examnle  nict  .11  . 

labs  to  test  ciyptographic  modules  for  conformance  with  FIPS 

~  ~  S  “f 

1997  by^SA^d  mTtTT"  77“  PartnerehiP  <“">  h  *• ***  *««*  begun  in 

evaluate  prcducts  has*,  on  JcLl'SS^^  » 

Volunhny  Laboratoiy  Accreditation  Progmm  (NVLrW  ,7  ,  7  ^ 

accrediting  the  firs,  group  of  labs,  baseTn  ^LdT^  O  ^  * 

^“"iit  vzt:  ^ Md  puMsh  a  “ 

altiiough  NL\P  may  also  provide  financiaTsupport  iTsome'c^es*"^0^1^  ^  * 
useful  to  the  ^^e^aldT1'^  mf0™a,'0n  tec,molog5'  Product  as  “potentially 

— „  spoL— r-  °r  °te 

evaluations.  The  sponsors  will  decide  whether  ,0  s7v"  17^7  ,  7“*“ 

s:r  - — - 

3  *  ^ were 

and  certain  foreign  govenmente  enaWes^o1131  performed  others— is  used  by  NSA  NIST 

yet  still  meet  the^respon^iH^es^a^applrovarautiiorities^This^  t0  *?  ^  t0  ^  S 

commercial  niches  where  security  requirements  areSSS^h.ST^1^  Pr°Ve  USefU1  “  certain 
accredited  testers  whose  performance  is  monitored  bv  IhS?  h?l'  In  °ther  cases’  however,  selecting 
and  far  less  coslly-means  of  gaining  ^ 


8-6 


effect,  NIAP  validation  will  place  a  product  on  an  international  validated  products  list, 
enabling  a  vendor  to  sell  to  any  of  the  participating  governments  without  further  testing. 

In  the  future,  NIAP  plans  to  address  deployed  systems  as  well.  NIAP  will  define 
criteria  for  evaluating  such  systems  and  for  the  accreditation  of  organizations  to  conduct 
evaluations.  NIAP  will  validate  the  results.  NIAP  also  has  a  research  mission — not,  at  this 
time,  well  funded — to  develop  test  methods  and  tools. 

2.  BITS  Laboratory 

The  Banking  Industry  Technology  Secretariat  (BITS),  under  the  Financial 
Services  Roundtable,  established  the  BITS  Financial  Services  Security  Laboratory  in  the 
summer  of  1999.  This  new  “BITS  Lab”  illustrates  the  concepts  of  sector  specialization 
and  user  control.  BITS  Lab  will  specialize  in  evaluating  products  of  interest  to  the 
financial  services  industry,  including  both  security  products  and  the  security  aspects  of  e- 
commerce  products.  It  will  be  a  “self- validating”  organization,  awarding  a  “BITS  Tested 
Mark”  to  products  that  pass  its  tests.  Financial  companies  will  be  encouraged  to  give 
preference  to  such  products.  While  specialization  offers  potential  economies  in  evaluating 
sector-specific  products,  it  could  also  lead  to  wasteful  duplication  and  increased  costs  per 
test  if  each  sector  insists  on  its  own  evaluation  of  common  generic  products.  These  are 
moot  points  for  the  financial  sector  since,  until  NIAP  is  operational,  there  are  no  viable 
alternatives  for  thorough  commercial  evaluations.4 

Perhaps  more  important  to  users  in  the  financial  sector  is  the  control  BITS  Lab 
gives  them  over  the  evaluation  process.  BITS  Lab  will  be  operated  under  contract  by 
Global  Integrity,  a  subsidiary  of  Science  Applications  International  Corporation  (SAIC). 
A  Laboratory  Governance  Committee  of  security  professionals  will  establish  priorities 
and  security  requirements  for  each  product  class,  drawing  on  a  master  set  of  relevant 
standards  from  ANSI,  ISO  (including  the  Common  Criteria),  federal  regulators,  and  other 
sources.  Global  Integrity  and  die  product  vendors  will  develop  test  plans  for  specific 
products.  Thus,  even  though  vendors  will  be  “funding  members”  of  BITS  Lab  and  will 
pay  for  product  testing,  BITS  Lab  will  ensure  that  the  process  serves  the  interests  of 


4  The  NIAP  model  will  also  accommodate  sector-specific  products.  For  example,  NIAP  is  defining 
formal  Common  Criteria  security  requirements  (called  Protection  Profiles)  for  a  number  of  specialized 
products,  including  Smart  Cards  and  telephone  switches.  If  necessary,  NIAP  will  also  develop 
specialized  test  methods  and  criteria  for  accrediting  specialized  labs.  BITS  Lab  itself  might  seek 
accreditation  as  a  Common  Criteria  lab. 


8-7 


financial  sector  end  users.5  The  financial  sector,  valuing  flexibility  and  responsiveness, 
may  also  count  independence  from  government  processes  as  an  advantage. 

It  is  unclear  whether  other  sectors  will  establish  their  own  evaluation  processes. 
Coordination  of  such  processes  across  sectors  to  avoid  conflicts  and  unnecessary 
differentiation  (see  Section  Cl  below)  could  be  a  potential  role  for  theI3P. 

3.  Commercial  Evaluation  Services 

A  broad  range  of  commercial  evaluation  services  is  available.  Information 
technology  vendors  can  pay  consultants  or  independent  labs  to  evaluate  their  products  and 
attest  to  their  findings.  A  few  organizations  are  tying  to  establish  themselves  as  self- 
validating  authorities,  evaluating  products  and  awarding  widely  recognized  certification 
marks.  Examples  include  ICSA,  Inc.  (referred  to  as  International  Computer  Security 
Association)  and  West  Coast  Labs.  ICSA,  for  instance,  organizes  consortia  of  vendors  to 
develop  test  criteria  for  products  such  as  firewalls  and  anti-virus  software.  Vendors  pay 
ICSA  to  have  then  products  tested  and  those  that  pass  are  awarded  the  ICSA  certification 
mark.  The  tests  are  “black  box”  evaluations,  focusing  on  specified  performance  features, 
such  as  the  ability  to  identify  and  defeat  a  list  of  potential  attacks.^  Such  tests  are  valued 
for  their  speed  and  low  cost,  but  they  lack  the  thoroughness  of  Common  Criteria  tests, 
which  also  address  such  matters  as  how  a  product  is  developed  and  how  it  functions 
internally.  To  build  a  respected  certification  mark,  ICSA  must  maintain  a  reputation  for 
objectivity  and  integrity.  However,  it  is  clearly  providing  a  service  for  vendors;  end  users 
apparently  do  not  directly  influence  the  evaluation  process. 

Buyers  guides  for  generic  information  assurance  products  offer  another  useful 
service.  For  example,  PC  World  from  time  to  time  publishes  comparisons  of  the  leading 
anti-virus  software  products.  Comparisons  are  based  on  black  box  performance  tests, 
useful  features,  and  prices.  A  tutorial  on  product  functions  is  included.  While  such 
comparisons  provide  information  not  conveyed  by  a  pass/fail  certification  mark,  the 


commn?ale’  ^  WiH  be  based  on  the  needs  of  the  financial  sector  rather  than  a  lowest 

common-denominator  consensus  among  information  technology  vendors. 

f°r  CXampl  r’  ^  b3Sed  “  Part  °n  the  Wild  List>  which  identifies  viruse: 
that  are  known  to  be  mfecting  computers  (as  opposed  to  viruses  that  exist  only  in  computer  labs). 

8-8 


information  is  time-limited.  The  buyers  guide  approach  does  not  lend  itself  to  ensuring 
that  a  product  continues  to  meet  requirements  as  time  passes,  often  an  essential  feature  of 
a  security  product.7 

4.  Evaluating  Deployed  Systems 

Security  evaluation  of  the  operational  cyber  systems  of  the  critical  infrastructure 
sectors  is  essential.  Such  evaluations  should  examine  whether  security  policies  are 
adequate  and  enforced,  whether  system  architectures  provide  adequate  protection 
(including  redundancy,  fault  tolerance,  and  security),  and  whether  security  components 
are  configured  and  operated  correctly.  Red-teaming  (staged  cyber  attacks  to  uncover 
vulnerabilities)  can  be  very  useful  evaluation  tools. 

In  the  private  sector,  a  wide  variety  of  consultants  offer  network  security  services, 
including  assessment  and  remedial  advice.  The  providers  range  from  well  known 
companies  such  as  Ernst  &  Young,  which  offers  a  service  called  eSecurity  Solutions,  to 
small  startups  whose  competence  is  unknown.  ICSA  offers  a  structured  approach  for  user 
networks  connected  to  the  Internet  called  TruSecure,  which  includes  assessment  and 
advice  on  improving  security.  ICSA  awards  TruSecure  certification  to  qualifying  systems, 
conducts  follow-up  audits  and  spot  checks,  and  requires  annual  re-certification. 

Many  large  organizations  perform  their  own  system  evaluations.  The  Department 
of  Defense  (DOD),  for  example,  requires  a  “certification  and  accreditation”  process  for 
all  of  its  operational  information  systems.8  For  each  system,  a  Certification  Authority  is 
appointed  to  evaluate  whether  system-specific  security  requirements  are  satisfied.  A 
Designated  Approving  Authority  for  that  system  then  accredits  (i.e.,  authorizes)  its 
operation  if  it  can  be  operated  at  an  acceptable  level  of  risk  given  its  mission.  While  DOD 
attempts  to  identify  classes  of  systems  with  similar  security  requirements,  it  has  not 


7  To  retain  an  ICSA  certification,  for  example,  a  vendor  must  make  a  contractual  commitment  to  meet 
published  criteria.  For  anti-virus  products,  the  criteria  are  updated  monthly  to  reflect  new  threats.  ICSA 
spot  checks  products  two  to  four  times  per  year,  insists  on  needed  corrective  action  within  seven  days, 
and  requires  annual  recertification.  Non-complying  products  are  removed  from  the  certified  products 
list.  Under  the  NIAP  scheme,  a  validation  certificate  applies  only  to  the  specific  product  version/release 
that  is  evaluated.  However,  by  complying  with  a  Certificate  Maintenance  Program,  a  sponsor  can 
obtain  updated  validation  certificates  for  modified  products  without  repeating  the  full  evaluation 
process.  A  NIAP-validated  plan  must  specify  ongoing  maintenance  activities,  required  evidence  of 
compliance,  what  must  be  verified  by  the  testing  lab,  and  what  circumstances  would  make  a  full  re- 
evaluation  necessary.  Among  other  things,  changes  in  the  threat  environment  may  be  considered. 

8  The  DoD  Information  Technology  Security  Certification  and  Accreditation  Process  (DITSCAP)  is 
defined  in  DoD  Instruction  5200.40,  December  30, 1997. 

8-9 


defined  system  security  standards.  Ultimately,  authorization  to  operate  depends  on  the 
informed  judgement  of  a  designated  authority. 

Overall,  the  evaluation  of  deployed  systems  is  hindered  by  a  lack  of  evaluation 
standards  and  by  the  absence  of  an  authoritative  entity  to  accredit  the  organizations  that 
conduct  evaluations  and,  in  certain  cases,  validate  individual  evaluations.  As  noted  above, 
NIAP  intends  to  address  these  needs,  but  many  people  question  its  future  because  of  the 
prevalence  in  industry  of  antipathy  to  involving  a  government  entity  in  internal  operating 
matters..  This  area  is  very  important  for  the  critical  infrastructure  providers,  who  need 
assurance  that  their  own  systems  are  secure.  Further,  they  need  an  efficient  and 
authoritative  means  of  determining  whether  interconnected  systems  owned  by  other 
companies  are  secure. 

5.  Professional  Certification 

Perhaps  a  prerequisite  for  improving  the  evaluation  of  deployed  systems  is 
building  a  corps  of  recognized,  credible  security  professionals.  At  least  two  national 
organizations  offer  relevant  certification  programs.  The  International  Information 
Systems  Security  Certification  Consortium  (ISC)2  awards  the  Certified  Information 
Systems  Security  Practitioner  (CISSP)  designation.  Qualifications  include  gaining 
information  assurance  experience,  complying  with  a  professional  code  of  ethics,  and 
passing  a  test  on  the  relevant  common  body  of  knowledge.  Re-certification  is  required 
every  3  years  and  reflects  interim  activities.  The  Information  Systems  Audit  and  Control 
Association  (ISACA)  administers  the  Certified  Information  Systems  Auditor  (CISA) 
designation  held  by  more  than  12,000  professionals  worldwide.  There  are  also  state-level 
programs  that  may  affect  security,  for  example,  the  licensing  of  software  engineers  by  the 
State  of  Texas.  However,  judging  from  the  comments  of  industrial  participants  in  the  IDA 
working  groups,  it  is  not  clear  that  these  programs  have  had  a  perceptible  impact  in 
industry. 

6.  Standards  Organizations 

As  is  evident  from  the  discussion  above,  many  organizations  are  involved  in 
establishing  benchmarks,  criteria,  and  standards  for  testing  and  evaluation  in  the  various 
branches  of  information  assurance.  The  confusion  evident  in  these  processes  is  relieved 

only  somewhat  by  the  existence  of  a  recognized  formal  worldwide  system  for  standards 
setting. 


8-10 


At  the  top  of  the  international  hierarchy  of  information  technology  standards 
setting  entities  is  the  Joint  Technical  Committee  1  of  the  International  Standards 
Organization  and  the  International  Electrotechnical  Commission.  Standards  for 
information  assurance  are  the  purview  of  Subcommittee  27  (ISO/IEC  JTC1/SC27),  which 
has  emphasized  cryptology  but  lists  international  standard  ISO/IEC  15408  (Common 
Criteria)  among  its  products.  ISO/IEC  JTC1  members  are  a  mix  of  national  government 
and  industry-supported  organizations. 

The  American  National  Standards  Institute  (ANSI)  is  the  U.S,  member  of 
ISO/IEC  JTC1.  In  principle,  ANSI  could  carry  out  “conformity  assessment”  activities, 
such  as  accrediting  third  party  product  certifiers  in  the  area  of  information  assurance. 
However,  in  practice,  this  is  being  done  under  the  NIAP  Common  Criteria  scheme. 

Specialist  industry  and  professional  groups  also  establish  standards  within  the 
ISO/IEC  system  and  on  their  own.  For  example,  the  Institute  of  Electrical  and  Electronics 
Engineers  (IEEE)  is  an  ANSI  “accredited”  standards  development  organization.  The 
IEEE  Computer  Society  is  the  largest  of  the  IEEE  societies  and  is  responsible  for 
standards  development  (including  those  pertaining  to  security),  a  process  that  is  inclusive 
in  participation  and  elaborate  procedurally,  reflecting  ISO  and  ANSI  policies.  Once 
approved  internally,  IEEE  standards  are  usually  provided  to  ANSI  and  ISO  and  other 
national,  regional  and  international  organizations  for  possible  adoption. 

To  carry  the  example  a  step  farther,  the  IEEE  Computer  Society  Internet  Best 
Practices  Standards  Working  Group  has  been  addressing  Internet  security  recommended 
practices,  building  on  the  work  of  the  Internet  Engineering  Task  Force  (IETF)  and  the 
Web  Consortium,  among  others.  The  IETF  and  Internet  Engineering  Steering  Group 
(IESG),  related  to  the  Internet  Society  (INSOC)  and  the  World  Wide  Web  Consortium 
(W3C),  develop  standards  for  worldwide  web  security  through  the  IETF  Security  Area 
Advisory  Group  (IETF/SAAG). 

In  addition  to  those  named  above,  other  industry  and  professional  groups  carry  on 
what  is  in  effect  standards  development  work.  The  Association  for  Computing  Machinery 
(ACM)  Special  Interest  Group  on  Security,  Audit  and  Control  (ACM/SIGSAC)  sponsors 
conferences  and  workshops,  and  publishes  transactions,  that  establish  the  groundwork  for 
standards.  There  is  an  IEEE  Computing  Society  and  ACM  Software  Engineering 
Coordinating  Committee,  which,  among  other  things,  is  developing  a  “Guide  to  the 
Software  Engineering  Body  of  Knowledge”  for  use  in  licensing  and  certification  of 
professionals.  It  is  not  focused  on  security  matters. 

8-11 


In  some  cases  there  is  a  well-established  h'  ireC  °rates  and  C00Perative  agreements, 
processes  are  complex  at  best  -established  hierarchy  for  standards  setting.  However  the 

and  convoluted  processes  in 

cannot  keep  up  with  the  pace  of  infonnatioi)  tecJIogy  deve““  "“■« 

7.  Assessment  of  Existing  Activities 

-ices^r^rr^Tt.  °f  “  ta  ,he  ^  and 

and  organizations  and  offers  summaiy  assessments  f  T  7  valuation-related  tasks 
,  adequate  to  perform  the  listed  tasks.  whether  existing  activities  are 

deployed^systenut  10016  advanced  for  products  than  for 

no,  readily  avails  today  ^ ^  “ 

have  been  defined,  and  organization.  n  u  •  dentlfied>  some  umbrella  standards 
prominent.  It  remains  to  be  seen  how  6  Tf  eStaWlshed’  ™th  NIAP  as  the  most 

how  well  they  will  meet  the  specializedTeeds  JT  ^  ^  “  particuIar’ 

deployed  systems,  in  contrast  the  wav  forw  A  *  6  ^  infrastructure  sectors.  For 

organizational  gap,  but  it  will  take  18  "*  NIAP  611  *e 

standards,  evaluation  «  «*- 

and  support  for  the  evaluation  of  both  a  ’  general  area  of  providing  tools 

attention.  The  potential  role  of  I3P  ^  depI°yed  systems  recluires  greater 

discussed  in  the  following  section.  ressmg  current  gaps  and  weaknesses  is 


8-12 


Table  8-2.  Assessment  of  Existing  Product  and  Services  Evaluation  Activities 


Task  Existing  Activities 

Assessment 

l3P’s  Role 

fllPgg^Pgllgg 

Accredit  test  labs 

-NIST’s  NVLAP  for  NIAP 

Test/evaluate 

products 

-NSA,  thorough,  limited 
-NIAP,  thorough  but  new 
-BITS,  for  bank  sector,  new 
-ICSA,  WCL,  black  box  testing 

Many  new 

initiatives,  too  soon 
to  judge 

Certify/validate  tests 

-NSA,  own  and  outside  tests 
-NIAP,  outside  tests 
-NIST,  outside  tests 
-ICSA,  WCL,  own  tests 

Many  new  ! 

initiatives,  too  soon 
to  judge 

Potential  niche 
validator 

Prepare  buyers 
guides 

-Trade  press,  black  box 
snapshot 

-Associations,  technical  tutorial 

Coverage 

emphasizes  mature 
products 

. a S: ?&£ it  .  i ,  «i£S , .  ££ V ■  & trSSS it k  x &  £ $ f\ J ! \ «S 

f  { s  : ; ;  J  ■  :■  if  ■  jiff#  * 

Accredit  testing 
organizations 

-NVLAP,  proposed  for  future 

No  existing  activity 

Potential  niche 
accreditor 

Test/evaluate 

systems 

-NSA,  NIST  for  federal  systems 
-Consultants,  range  of  services 
-Self  test,  informed  entities 

Competence 
uneven,  methods  ad 
hoc 

Certify/validate  tests 

-NIAP,  proposed  for  future 

No  existing  activity 

Potential  niche 
validator 

■  r  -  i>  .  .  ; 

|||s|l!llll!!15ill 

Develop  testing 
methods,  tools, 
metrics 

-NSA,  has  expertise 
-NIAP,  mission  underfunded 

Focus  on 

government  needs, 
funding  inadequate 

R&D,  info 
sharing,  tech 
transfer 

Develop  test  and 
accreditation  criteria 

-NIAP,  based  on  CC 
-BITS,  based  on  mix 
-ICSA,  by  vendor  consortia 

Need  to  define  and 
harmonize  specific 
criteria 

R&D,  info  ! 

sharing 

Develop  product  and 

interoperability 

standards 

-IEEE  Computer  Society 
-IETF,  for  interoperability 
-ANSI,  IOC,  IES 
-NIST  for  government  FIPS 
-Associations,  specific  interests 

Multiple  channels 
and  slow  processes 

Info  sharing, 
perhaps  facilitate 

Maintain  attack 
databases 

-Wild  List,  relevant  viruses 
-Testers,  relevant  threats 
-Manufacturers,  relevant  threats 

Some  information 
closely  held  for 
market  advantage 

Info  sharing 

Maintain  IA  test  bed 

-Consultants,  for  general  IT 
-Government  (NRL,  DARPA) 

Gaps  in  special- 
purpose  facilities 

If  needed  for 

R&D  function 

gBgaHggg  1 1  i|i  1  3 

Accredit  IA  curricula 
and  schools 

-CSAB,  computer  science 
— SECC,  software  engineering 

No  IA  focus  at  this 
time 

Info  sharing, 

encourage 

accreditors 

Accredit  IA 
professionals 

-(ISC)2,  info  security 
-ISACA,  info  system  audit 

Emerging,  relevant 
programs 

Info  sharing 

C.  THE  ROLE  OF  THE  I3P 

The  critical  infrastructure  providers  must  first  have  a 

zz:  “~s  “d  mus,  -  have — -  -  zji:: 

anon  services.  Such  semces  are  essential  for  building  operating  and 

mu~Z  ZZT; and  promo,m8  them  shou,d  66  a  majOT—  <***  ™ 

fill-  u  /  ,  •  h  d  p  ay  a  SUpporting  role>  harmonizing,  facilitating  and  ean 
mg.  but  relymg  on  other  organizations  for  operational  activities  TheBP’s  k&D  Id 

.Ration  sharing  activities  should  ptove  particularly  useful  in  tite  eval^nal 

8-3  summanzes  these  roles,  which  are  discussed  in  succeeding  sections. 

JhbteB-a.  Needed  Product  and  Services  Evaluation  Functional  Taaka 

a  XI .  .  “  - - - - - 


- - - - - — - -  - - -  — w.iwi  i  oowo 

infrastructure  sertore^"16"*  **  US®  °f  eva,uation  services  that  meet  the  needs  of  the  critical 
Harmonize  processes  and  criteria  used  by  overseers  and  evaluators 
Facmtate  on-going  work  and  the  establishment  of  new  capacities,  as  needed 
-  F,1  gaps  in  evaluation  and  standards  area  where  only  the  I3P  is  serviceable 

Chapte? vTon  R&DfuSiSn)0  'mPr°Ve  t6S‘  meth°ds  and  deve,0P  tools.  metrics,  and  benchmarks  (see 

practices  amo^ieS  and  sha™g  of  information  on  best 

information  sharing  function).  ’  h  ’  d  ,nfrastructure  operators  (see  Chapter  VII  on 


1.  Harmonize  Processes  and  Criteria  Used  by  Overseers  and  Evaluators 

.  _  would  have  a  broad  perspective  encompassing  all  of  the  v  , 

infrastructures  and  the  various  branches  of  information  assurance  1,  would  thm  bT  n 
posmoned  to  promote  a  voluuta^  convergence  of  evaluation  ptocesses  and  criteria 

practic^^Further^it  Straigthen  fte  evaluation  “«*  by  promoting  wide  use  of  best 

organizations  and  criteria.  Such  differentiation  can  Lse  co 

forcmg  multiple  testing  of  individual  products.  1,  can  also  weaken  IZZZZ 

— notserveane^r: 
~  -  - 
r.,i sr™ 


8-14 


specialization  may  thus  prove  advantageous,  either  within  a  broad  approach  such  as  NIAP 
or  through  sector-specific  organizations  such  as  BITS  Lab.9 

The  degree  to  which  the  13  P  should  become  involved  in  establishing  benchmarks, 
criteria,  or  even  standards  is  unclear.  Certainly,  taking  broad  responsibility  for  standards 
setting  would  encroach  on  the  responsibilities  of  other  organizations.  Further,  it  would 
risk  alienating  industry,  whose  cooperation  is  essential,  because  industry  tends  to  see 
government  involvement  in  creating  standards  as  the  initial  step  on  a  slippery  slope 
toward  government  regulation.  In  addition,  it  would  place  at  risk  the  cooperation  of  those 
researchers  who  believe  that  standard  setting  is  premature  for  the  foreseeable  future.10 

2.  Facilitate  Ongoing  Work  and  Establishing  New  Capabilities,  as  Needed 

From  time  to  time,  as  the  I3P  promotes  the  availability  of  needed  evaluation 
services,  it  will  identify  opportunities  to  make  useful  contributions.  These  likely  will  be 
very  focused,  finite  activities  to  facilitate  on-going  work  or  jump-start  new  projects.  In 
such  cases,  the  I3P  should  be  able  quickly  to  provide  modest  funding  (e.g.,  <  $100,000) 
and  temporary  staffing  to  seed  selected  new  initiatives  or  free  up  work  stuck  at  a  critical 
juncture.  An  example  might  be  bringing  the  protagonists  in  an  important  interoperability 
dispute  to  the  table  to  settle  on  an  appropriate  interoperability  standard. 

3.  Fill  Gaps  in  Evaluation  and  Standards  Area  Where  Only  the  I3P  Is  Serviceable 

Overall,  the  I3P  could  serve  best  by  not  being  directly  involved  in  the  day-to-day 
processes  of  evaluation  and  standards  development.  It  should  be  quite  enough  that  it 
gathers  information  on  best  practices  to  support  its  own  scientific  and  policy  research 
function,  and  incidentally  disseminates  this  information  widely.  If  the  need  for  a  new 
evaluator  or  overseer  or  a  new  standard-setting  process  arose,  13  P  should  prefer  to  use  its 
facilitation  capabilities  to  help  stand  up  an  appropriate  entity.  However,  it  is  possible  that 
a  unique  circumstance  would  arise  in  which  it  made  sense  for  the  I3P  to  be  an  overseer  in 
a  very  specialized  niche.  For  example,  for  deployed  systems,  it  might  be  needed  as  the 


9  Also,  there  are  inherent  testing  tradeoffs  between  thoroughness  on  the  one  hand  and  cost  and  speed  on 
the  other.  Differentiation  may  thus  be  necessary  to  accommodate  the  tradeoff  preferences  of  various 
market  segments. 

10  Some  interviewees  thought  that  more  sophisticated  testing  and  standards  were  futile.  Until  users  take 
reasonable  advantage  of  what  is  available  to  them  now,  in  this  view,  procedural  and  measurement 
refinements  are  a  waste  of  resources. 


8-15 


P-icu'arfy  itvniJl'ZZTZ:!  7^21^  ***** 

However,  two  principles  are  clear-  I3P  should 
overseer  to  is  working  a,  all  satisfactorily,  and  j,  to  7  “T  “  'valuator  or 
an  overseer  or  evaluator.  It  nonetheless  seems  se  ki  "ol  asPlre  t0  a  broad  function  as 
such  possibilities  in  advance  because  a  very  1  ‘0  aV°'d  “ imd  decisions  »n 

business.  Will  NIAP  succeed?  Some  interviele  aT°n  IO°mS  **  evaluation 
•be  habits  to  have  made  "*  be  aW'  to  off 

vendor.  Also,  government  validation  of  indivTT™  Sl°W’  "d  risky  to  "» 
potential  bottleneck.  Even  more  basic  man  h  r  lab°rat0Iy  evaluations  is  a 

and  controlled  by  the  U.S.  government  is  "  ‘ha‘  “  evalm,io"  re«ime  created 

absolute  objectivity.  They  hold  to  tire  ££££*  *  W°*s  to  *»r 

approach  to  information  assurance.  Some  parts  “  1  "  *  to 

security;  others  want  to  monitor  measure  aTf  *ovemment  want  to  enhance 

There  is  a  significant  market  segment  towitow7X  “* 

a  security  product  or  system  means  a  “back  doir  -  fa,  *  !  g°Vemment  valida«°n  of 

lnto  ^  d  ’  only  to  NSA,  has  been  built 

The  jury  is  still  out  on  NIAP.  Should  the  HP  u 
proves  to  be  unacceptable  because  of  its  sn,n  Positioned  to  fill  in  if 

not  clear,  partly  because  it  will  depend  on  the  f  ",  T"™*  agencT?  answer  is 
distrust  of  government  mechanisms  the  I3P  m  !T *  S  ^  °f  theI3P'  If  the  Problem  is 
control  so  as  ,0  be  qui,e  independent  both  a,  to 

4‘  ZZ  Z!ZZlZ  ‘°  ImPr°Ve  T‘S*  -  Develop  TooIs> 

in  the  evaluatL^lr^,”^ Ibsl^  Pri"Ci.Pal  ^  ot1be1^  activities 

sound  test  criteria,  let  alone  broadly  applicable  sta^d^d”'1”0  baS’S  adK,Uate  to  establish 
of  evaluations.  A  major  product  of  gathering  Jd  h  ****  effectiveness 

would  be  tire  identification  of  gaps  i„  TTto  f  r^”8  °B  b*  Prices 

evaluation  of  products  and  services"  This  t"  7°  °Wledge  base  that  supports  the 
_________________  Th,S>  “  ^  would  guide  tireBP-s  scientific 

^  The  seminal  1999  book  Tr  t  *  r 


research  program.  Tests  different  than  those  now  in  use  would  emerge  from  such 
research,  and  the  I3P  would  be  responsible  for  promulgating  information  on  them. 

Also,  there  is  a  consensus  that,  to  bring  down  evaluation  costs,  fundamentally  new 
tools  and  techniques  are  needed.  These  methodological  instruments  are  not  being 
developed,  and  evaluation  costs  are  still  too  high.  More  R&D  is  needed. 

5.  Establish  Linkages  that  Promote  the  Gathering  and  Sharing  of  Information 

DP’s  information  sharing  activity  should  include  the  product  and  services 
evaluation  area.  It  should  gather  and  disseminate  information  to  support  the  R&D 
activities  discussed  above.  It  should  collect  and  distribute  information  on  best  practices 
for  evaluation.  It  should  maintain  an  overall  understanding  of  the  extraordinarily  diverse 
assortment  of  entities  active  in  evaluation  and  standards  setting.  A  fundamental  policy 
question  each  year  should  be,  “Is  the  currently  existing  patchwork  quilt,  overall  and  on 
balance,  adequate  for  national  security?”  This  answer  in  1999  was  certainly  “no.” 

D.  EXTERNAL  RELATIONS 

In  fulfilling  its  functions  in  the  area  of  product  and  services  evaluation,  the  I3P 
would  interface  with  a  vast  number  of  entities  including:  users  in  the  critical 
infrastructure  sectors,  information  technology  vendors  and  providers,  associations 
representing  users  and  vendors,  universities,  the  executive  and  legislative  branches  of  the 
U.S.  government,  foreign  governments,  and  international  bodies.  Governing  and 
oversight  structures  for  the  13  P  must  represent  a  balancing  of  the  most  important  of  these 
interests;  however,  this  does  not  impose  demands  different  from  those  implicit  in  the 
basic  R&D  function. 

Successful  interactions  with  industry  would  be  built  on  three  qualities  and 
capabilities  of  theI3P.  The  first  is  a  determined  and  patient  building  of  mutual  confidence 
and  respect.  In  order  for  this  to  succeed,  the  I3P  must  have  intellectual  “trading  goods”  in 
the  form  of  internal  expertise.  In  carrying  out  the  gathering  and  disseminating  of  best 
practices,  the  I3P  would  acquire  a  significant  satchel  of  trading  goods.  It  would  be 
providing  useful  tidbits  regularly  and  would  have  broad  knowledge  about  what  is  going 
on  in  evaluation  technology  and  the  critical  infrastructure  sectors.  Finally  an  ability  to 


of  effort  if  one  seeks  to  keep  disruptions  localized.  See  National  Research  Council,  Trust  in 
Cyberspace,  Committee  on  Information  Systems  Trustworthiness,  1999. 

8-17 


deploy  money  very  quickly  at  critical  moments  would  earn  it  a  special  place  among  the 
professionals  who  work  in  user  organizations,  academic  institutions,  and  research  entities. 
Fifty  or  a  hundred  thousand  dollars  is  very  little  in  federal  budget  terms,  but  for  these 
professionals  getting  authorization  to  spend  that  much  money  on  something  that  was  not 
pre-approved  through  lengthy  review  processes  is  usually  out  of  the  question.  They  would 
want  to  be  friends  of  an  organization  that  could  commit  such  fluids  in  a  matter  of  hours  or 
at  most  days.  This  last  capability  would  be  easy  to  establish  in  a  private  sector 
organization,  less  so  in  a  government  organization. 


8-18 


Chapter  9 

EDUCATION  AND  TRAINING 


The  Institute  for  Information  Infrastructure  Protection  (I3P)  should  ensure  its 
research  activities  contribute  to  preparing  the  IT  workforce  to  understand  and  address 
information  infrastructure  vulnerabilities.  The  availability  of  personnel  trained  in 
information  assurance  is  essential  for  the  protection  of  the  information  systems  across  the 
critical  infrastructure  sectors.  A  research  program  that  is  responsive  to  workforce  needs 
can  be  successful  in  building  a  pool  of  qualified  instructors  and  researchers,  recruiting 
and  training  professionals,  and  increasing  awareness  in  the  information  technology  field. 

Interview  respondents  and  workshop  participants  emphasized  that  current  efforts 
to  train  the  workforce  are  inadequate  to  meet  future  needs  and  identified  some  of  the 
needed  functions.  Some  experts  recommended  that  the  I3P  should  perform  many  of  the 
needed  functions  itself,  such  as  curriculum  development,  financial  support  to  students, 
and  certification  of  professionals  and  programs.  Others  felt  that  the  I3P  should  primarily 
offer  support  and  resources  to  the  outside  organizations  already  engaged  in  these 
activities. 

A.  EDUCATION  AND  TRAINING  REQUIREMENTS 
1.  IDA  Interviews  and  Workshops 

The  PC  AST  proposal  included  training  among  the  technical  concerns  to  be 
addressed  in  its  proposed  R&D  agenda.  Participants  in  the  IDA  interviews  and 
workshops  corroborated  the  need  for  a  range  of  education  and  training  activities  in 
information  assurance.  Current  activities  are  reportedly  small  in  scope,  with  perhaps  as 
few  as  20  universities  and  10  federal  agencies  offering  major  information  assurance 
training  programs.  Only  a  handful  of  universities  offer  information  assurance  education 
as  part  of  a  comprehensive  teaching  and  research  program  comparable  to  more  traditional 
academic  disciplines. 

A  number  of  interview  respondents  emphasized  the  lack  of  qualified  instructors  as 
a  major  difficulty  in  maintaining  a  high  level  of  activity  in  information  assurance 


9-1 


education.  For  example,  some  numbered  the  pool  of  tenured  professors  in  the  U.S.  who 
are  engaged  in  large-scale  information  assurance  teaching  and  research  activities  at  just 
one  dozen.  The  number  of  information  assurance  graduate  students  at  research 
institutions  is  also  small,  and  many  are  foreign  citizens  and  therefore  unable  to  work  on 
research  projects  that  require  access  to  sensitive  information. 

Although  information  assurance  has  yet  to  gain  recognition  as  a  major  area  of 
research  and  professional  activity,  demand  for  information  assurance  professionals  is 
high.  Several  interview  respondents  expressed  frustration  at  the  difficulty  of  finding 
personnel  trained  in  this  field.  Some  schools  are  reporting  salaiy  offers  considerably 
higher  than  average  for  students  graduating  with  experience  in  information  assurance.  * 

Career  opportunities  for  information  assurance  professionals  are  expected  to 
increase  in  the  near  future  as  more  information  on  threats  and  vulnerabilities,  as  well  as 
new  methods  and  approaches  for  dealing  with  them,  becomes  available.  However,  some 
interview  respondents  indicated  that  better  defined,  higher  profile  career  paths,  especially 
in  law  enforcement  and  the  military,  are  needed  to  encourage  students  and  soldiers  to 
consider  careers  in  information  assurance. 

There  is  a  need  for  both  information  assurance  specialists  and  non-specialist 
practitioners  in  a  variety  of  career  fields.  Interview  respondents  identified  at  least  four 
types  of  professionals  who  need  to  be  trained  in  the  principles  and  practices  of 
information  assurance: 

•  Those  who  design,  implement,  evaluate,  modify,  and  maintain  networked 
systems  must  be  trained  to  ensure  security  by  design  and  by  practice. 

•  Designers  and  engineers  of  widely  distributed  software  and  hardware  must 
understand  how  to  minimize  the  vulnerabilities  that  their  products  introduce 
into  the  information  infrastructure. 

•  Managers  and  executives  must  be  familiar  with  the  technology  and  practices 
in  order  to  coordinate  the  above  efforts  effectively. 

•  Computer  users  must  understand  how  their  actions  affect  security. 


See  Computing  Research  Association  (CRA),  The  Supply  of  Information  Technology  Workers  in  the 
United  States,  www.cra.org/reports/wits/chapter  1  .html.  October  13,  1999.  (Hereinafter  cited  as  CRA 
Report.) 


9-2 


2.  Pipeline  of  Information  Technology  Workers 

Information  assurance  workforce  issues  are  directly  related  to  workforce  issues  in 
the  broader  field  of  information  technology.  Before  addressing  ways  to  increase  the 
‘pipeline’  of  information  assurance  workers,  it  will  thus  be  useful  to  review  the  structure 
of  IT  training  as  a  whole. 

a.  Degree  Programs 

The  role  of  degree  programs  in  supplying  information  technology  workers  can  be 
described  with  the  aid  of  a  typology  from  a  recent  publication  by  the  Computing  Research 
Association.  It  classifies  information  technology  workers  into  four  categories: 

•  Conceptualizers.  Conceive  of  and  sketch  out  the  basic  nature  of  a  computer 
system  artifact  (e.g.,  researcher,  system  architect) 

•  Developers.  Work  on  specifying,  designing,  constructing,  and  testing  an 
information  technology  artifact  (e  g.,  system  designer,  computer  engineer, 
tester) 

•  Modifiers/Extenders.  Modify  or  add  on  to  an  information  technology  artifact 
(e.g.,  programmer,  database  administrator) 

•  Supporters/Tenders.  Deliver,  install,  operate,  maintain,  or  repair  an 
information  technology  artifact  (e.g.,  network  administrator,  computer 
support) 2 

Table  9-1  outlines  the  contributions  of  degree-granting  institutions  to  the  pipeline 
of  IT  workers,  using  the  Computing  Research  Association  definitions. 


2  Ibid.,  chapter  2.  This  section  borrows  heavily  from  the  CRA  report. 


9-3 


Table  9-1.  Sources  of  Information  Technology  Workers 


Degree 

Job  Category 

Skills 

Pipeline  Issues 

Vocational 

Supporters/  Tenders 

Entry-level  and  operating  skills 
such  as  data  entry 

Associate’s 

(2-Year) 

Supporters/  Tenders 

Discipline-specific  training  on 
current  software  packages, 
operating  systems,  and  network 
administration,  etc. 

Only  1/3  of  two-year  colleges 
award  IT-related  degrees 

Bachelor’s 

Master’s 

Doctoral 

Developers, 

Modifiers/  Extenders 

Conceptualizes, 

Developers, 

Modifiers/  Extenders 

Conceptualizes 

More  conceptual  knowledge 
than  specific  training;  able  to 
perform  more  design  tasks, 
update  knowledge  quickly 

Combination  of  conceptual 
knowledge  and  specialization; 
research  experience 

Breadth  of  knowledge; 
expertise  in  particular  area; 
trained  to  teach  or  carry  out 
research 

Largest  source  of  IT  workers; 
most  popular  choice  is  non- 
related  technical  major  with 
some  IT-related  coursework 

Difficult  to  attract,  retain 
students;  1/3  of  grad  students 
are  foreign 

About  850  new  Ph.D.s  per  year; 
almost  half  are  foreign  citizens; 
only  30%  enter  teaching 

The  largest  source  of  IT  workers  is  four-year  bachelor’s  degree  programs,  but  not 
necessarily  in  fields  related  to  information  technology.  Most  commonly,  these  workers 
have  degrees  in  technical  fields  unrelated  to  information  technology  but  with  additional 
coursework  or  training  in  IT  subjects. 

Nevertheless,  the  Computing  Research  Association  study  found  that  several  types 

of  degree  programs  related  to  information  technology  are  commonly  available  at  the 
undergraduate  level: 

•  Computer  engineering.  Graduates  work  primarily  in  computer  hardware 

•  Computer  science  and  engineering.  Graduates  work  primarily  in  hardware 
firmware,  and  software 

•  Computer  science.  Graduates  work  primarily  in  software  design  and 

implementation  ° 

•  Software  engineering.  Graduates  work  with  the  engineering  of  software,  with 
special  attention  devoted  to  large  and  critical  systems 

•  Computer  information  science.  Graduates  work  on  the  development  of 
information  systems  with  emphasis  on  information  as  an  enterprise  resource 

•  Information  systems.  Graduates  design,  develop,  implement,  and  maintain 
business  information  systems 


9-4 


•  Management  information  systems.  Graduates  design,  develop,  implement, 
maintain,  and  manage  information  systems  with  emphasis  on  the  management 
of  the  systems 

•  Information  science.  Graduates  usually  work  in  libraries  or  similar  facilities 

In  contrast  to  the  variety  of  IT-related  majors  at  the  undergraduate  level,  the  vast 
majority  of  graduate  (master’s  and  doctoral)  degrees  are  produced  in  computer  science 
departments.  A  number  of  IDA  interview  respondents  emphasized  that  universities  are 
finding  it  especially  difficult  to  recruit  and  retain  graduate  students  and  suggested  a  few 
reasons.  One  is  that  there  is  fierce  industry  demand  for  highly  skilled  information 
technology  workers.  Another  is  that  academic  research  has  taken  on  an  increasingly 
short-term  focus  and  has  thus  become  less  distinguishable  from  industry  work.  A  third 
reason  is  that,  with  increasingly  heavy  teaching  loads,  computer  science  faculty  members 
have  little  time  for  advising  or  mentoring  their  graduate  students. 

b.  Non-degree  Programs 

This  type  of  training  provides  information  technology  workers  with  the  skills 
needed  to  enter  specific  vocational  jobs.  Table  9-2  lists  several  types  of  non-degree  IT 
programs. 

Of  these  non-degree  programs,  corporate  universities  are  perhaps  the  fastest 
growing.  Despite  promising  activity  in  the  non-degree  sector,  quality  is  difficult  to 
assure.  There  are  essentially  no  standards  or  accreditation  processes  in  the  non-degree 
training  market. 

c.  Conclusions  on  Information  Technology  Pipeline 

With  the  exception  of  some  graduate  degree  programs,  most  types  IT  training  and 
education  are  in  high  demand.  However,  the  availability  of  instructors  limits  the  number 
of  students  that  can  be  accommodated.  Excellent  opportunities  in  industry  and  other 
factors  make  it  difficult  for  institutions  to  attract  and  retain  graduate  students  and 
qualified  instructors.  Universities  currently  employ  a  large  number  of  adjunct  faculty,  but 
some  interview  respondents  said  that  many  more  information  assurance  professionals  are 
willing  to  serve  as  adjunct  instructors.  University  regulations,  the  tenure  system,  low 
adjunct  pay  scales,  and  company  policies  tend  to  restrict  the  use  of  adjuncts. 


9-5 


I  Source 

Vocational  training  schools 


Table  9-2.  Non-degree  Programs 

- - -  Type  of  Training 

~SS“iobs  in  "• 


r  - V.  me  it  worKTorce. 

four-year  colleges"5  ** tradltlonal  Almed  at  college  graduates  looking  to  upgrade  their  skills 

Four-year  college  course  offerings  Someitmes  tatlorod  for  sped,  conrpanies  located  near  me 

SHT"""”  F-'sasswssir-*--* 
L,_  aawassBt----'' 

tJSSnsUSe  °f  SPeCffiC  pr0ducts’  “fWcation  of 

Corporate  universities 

L— _ SdSSSSJS1, to  influence  cutriculum  and 

Source:  CRA  report,  Chapter  a - ^ -  P  sonnel  shortages  in  key  areas. _ 

B.  POTENTIAL  REMEDIAL  MEASURES 

must  accomplish  both  of  thJfol^ng  god^"  ^  lnf0rmati°n  3SSUrance  wor 
•  hcrease  the  number  of  qualified  information  assunmce  professionals 

universities, ^dtofnh^centers^011113^011  aSSUnU1Ce  instructors  at  alleges, 
toke  °nmus'  ^ *-  -■  - 

order  to  train  the  ne“  leneml  of  r  ^  °f  “  mUS‘  —  “  - 
discusses  some  of  fire  measures  that  eouid  be  taken  „  achieve  these  goTis 

1.  Increase  the  Number  of  Information  Assurance  Professionals 

workem^Zt^n^r"^  ““  “  -  *-  *P«  of 

hardware  designers,  management,  and  users"8  a^*^rs> 

specialists  with  cross-functional  expertise  are  needed  to  1  “  aSSUrance 

identify  vulnerabilities,  and  implement  IA  practices  Wh  ^  SySt6mS’ 

require  specialized  college  or  graduate  degrees,  the  infoiml^^ZZ 


9-6 


the  general  IT  workforce  are  more  varied  and  likely  to  include  a  mix  of  degree,  non¬ 
degree,  and  on-the-job  experiences. 

College  graduates  constitute  the  largest  source  of  IT  workers;  therefore,  efforts  to 
increase  interest  and  awareness  of  information  assurance  should  focus  on  introducing 
specialized  information  assurance  courses  into  college  offerings.  In  addition,  information 
assurance  topics  should  be  incorporated  into  popular  IT-related  courses,  such  as  computer 
science,  software  engineering,  and  information  systems,  to  reach  a  broad  audience. 

Since  many  IT  workers  seek  training  after  college,  efforts  to  increase  the  pipeline 
of  information  assurance  workers  should  also  target  graduate  and  post-graduate  education 
as  well  as  non-degree  programs  and  employer-supplied  training.  Institutions  and  training 
centers  that  undertake  the  following  activities  may  offer  the  greatest  opportunity  for 
pipeline  growth: 

•  Target  professionals  looking  to  upgrade  their  skills 

•  Use  adjunct  instructors  from  industry,  government,  and  other  sectors 

•  Offer  professional  master’s  degrees 

•  Locate  near  industry  centers 

•  Use  distance  learning  formats 

•  Build  corporate  university  programs 

Opportunities  for  workers  to  participate  in  non-degree  and  employer-supplied 
training  programs  are  increasing  rapidly.  However,  some  companies  are  reluctant  to 
provide  training  out  of  concern  that  their  competitors  will  hire  away  well  trained  workers. 
One  way  for  companies  to  reduce  this  risk  is  to  form  a  training  consortium.  For  instance, 
through  programs  such  as  Partnering  for  Workforce  Development,  the  SEMATECH 
consortium  demonstrates  an  industry-supported  training  consortium  designed  to  increase 
the  pool  of  trained  individuals  through  career  marketing  and  development  of  faculty  and 
curricula.3 

Most  interview  respondents  said  that  strong  incentives  for  students,  workers,  and 
companies  would  be  needed  to  increase  the  number  of  trained  information  assurance 
professionals.  Proposed  mechanisms  include  the  following: 


3  “Sematech  in  the  Community,”  Semiconductor  Manufacturing  Technology  consortium, 
www  sematech.org/public/communitv/workforce.htm.  December  21.  1999. 


9-7 


•  Scholarships  Most  interview  respondents  recommended  scholarships  to 
training86  !tUd“'S  “  a"  'eVe‘S  *°  PUrSUe  specialized  ^formation  assurance 

•  Curriculum  development.  Widely  available  information  assurance  curricular 
materials  at  all  levels  (even  K-12)  would  facilitate  the  development  of  new 
cotnses  and  the  integration  of  the  newest  information  assurance  principles  and 
practices  into  existing  auricula.  Some  interview  respondents  expressed  the 

«  rr?  sy!iabus’ but  °,here  were «  -  couZ'Tdt: 

developed  m  a  timely  manner.  The  National  Science  Foundation  has 

wTkshoTf  3  ,mfh0d.that  ^  together  with  reseaichers  in  a 

woritshop  format  to  write  curricula  based  on  the  latest  research  findings 

™  then  Pfed  °” 1116  W°rId  WMe  Web  for  instructors  to  use 
mmediatdy.  Other  models  of  success  in  curriculum  development  are 

available  from  NSF’s  Division  of  Undergraduate  Education  and  elsewhere. 

tZdc»‘i0n  frgrams-  is  *  perceived  need  for  accreditation  and 
rtification  of  education  and  training  programs.  The  Computing  Research 

Association  report  explains  that  the  need  is  especially  acute  for  non-degree 
rauung  programs,  for  which  there  are  essentially  no  quality  standards  ’For 
instance,  naming  standards  could  help  assure  a  company  or  agency  that  a 
factor's  employees  am  be  busted  to  perform  its  LLation  aiuTce! 

“‘f™ . At  coUe«es  »d  universities,  accreditation  criteria  requiring 
all  students  stadymg  subjects  related  to  infoimation  technology  to  tj 

StaofT”  assi?Tce  principIes  and  prac,ices  could 

the  skill  sets  of  a  wide  range  of  future  IT  professionals. 

Certification  of  IA  Professionals.  Many  interview  respondents  stressed  the 
lmporhmce  of  certifying  professionals  in  Information  Assurance  They  said 
to.  certification  standards  to.  adapt  quickly  to  die  changing  state  of  to  tota 
Information  Assurance  are  needed  as  a  pool  of  qualified  fLonnel  develops 

flcre/qpmcnr  as  a  profession.  Recognidon  of  infonnation  assurance  as  a 

L;ra  rUPrn’. ,hr0U8h  Professi°nal  membership  societies  similar  to 
diose  for  other  professions,  is  vital  to  improving  visibility  and  increasing 

ZVZt  CUrrent' •' the  Infonna,io"  Systems  Seauity  Association 
™  eL  ma^  heJre  v T  r?SP°nden,S  «■"«  ,hat  a  Phonal 

positioned  to  take  a  lead  role  in  curriculum  development 
Some  interview  respondents  even  advocated  a  society  to  license  information 


Gr0”P  -  Science  Education, 

February  25-March  1 ,  1998  pTvl  Symposium  on  Computer  Science  Education, 

CRA  Report,  chapter  6. 


9-8 


assurance  specialists  because  of  the  potential  consequences  of  their  work  on 
public  health,  safety,  and  security.  In  the  field  of  Software  Engineering,  the 
Association  for  Computing  Machinery  provides  a  model  for  increasing 
visibility  and  addressing  licensing  issues  in  a  rising  career  field  with  its 
successful  Committee  to  Establish  Software  Engineering  as  a  Profession. 

•  Industry  participation.  Industry  can  make  a  significant  contribution  toward 
expanding  the  information  assurance  workforce  by  offering  internships; 
promoting  information  assurance  careers;  and  working  with  educators, 
curriculum  developers,  and  accreditation  boards.  Establishing  partnerships 
with  local  universities  and  training  centers  is  a  particularly  effective  method. 

•  Occupational  studies.  Commonly,  federal  IT  personnel  data  is  out  of  date  and 
has  classification  problems,  while  most  industry  data  is  firm  specific  and 
proprietary.6  In  order  to  assist  policymakers  and  educational  institutions  in 
assessing  national  personnel  and  training  needs,  improved  methods  of  data 
collecting  across  the  many  industries  that  employ  information  technology  and 
information  assurance  workers  are  needed. 

2.  Establish  a  Pool  of  Qualified  Instructors 

Interview  respondents  indicated  that  a  shortage  of  professors  limits  opportunities 
for  university  students  to  study  information  assurance.  Several  experts  said  that  research 
grants  for  university  faculty  would  help  to  engage  more  professors  and  instructors  in 
information  assurance  teaching  and  research  by  bringing  more  recognition  to  information 
assurance  as  a  field  of  academic  inquiry.  Many  also  said  information  assurance 
fellowships  for  graduate  study  are  needed  to  attract  a  sufficient  number  of  Ph.D.  students 
to  fill  teaching  positions. 

However,  other  respondents  said  that  fellowships  and  grants  would  not  make  a 
significant  difference.  Stronger  mechanisms  are  needed  to  address  the  following 
challenges: 

•  Graduate  fellowships  might  not  find  enough  recipients.  Due  to  the  appeal  of 
high-paying  industry  jobs,  only  1 1  percent  of  computer  science  graduates 
attend  graduate  school  in  this  country.7  With  low  demand  for  graduate  study, 


6  Ibid.,  chapter  10. 

7  Ibid.,  chapter  5. 

9-9 


some  fellowships  in  computer  science  today  go  unclaimed  rtfm 

complete  the  Ph.D.,  only  about  30  percent  chL"te^?  Wh° 

faculty  in^nost  tm^tCTscieMe'Xnm^'T  aCt‘Vily'  With  3  Shortage  of 
heavy  teaching  load.  Information  ass  menlS’  professors  fJPically  carry  a 
faculty  out  of  the  classroom  redn  ■  rance  research  projects  could  take 

initiatives.  In  1980,  while  the  numbers  fu  6  P°  entld  md  chaHenges  of  such 

SI  ~ 

graduate  fellowships  (some  with  ft.  requit^^  1,“ ItT^  pm*“ 

graduation)  and  worked  to  build  a  first  cl  ^  ^  teachin8  aftQT 

academia.  These  efforts  helped  D  in 

not  many  of  those  doctorates  chose  to  t  ’  P™  Uct,on  to  1 ’00°  Per  year  by  1 990,  but 

newPh.D,awaided  annually  in  computer « 

In  light  of  these  challenges  then  i*  i 

sz  -  r 

in  ways  m7c7S7Jcc7‘JZ ““  ^ 

and  offer  special  anppM  &r  thZtoo^rto  PhTpm^r16  St"de,,tS 
professors'nu^1  devote  more^me  ,'o“  an“ 


CRA  Report,  chapter  8. 


9-10 


a.  Support  Professors 

Academic  research  grants  are  likely  to  engage  professors  from  computer  science 
and  other  disciplines  in  multidisciplinary  information  assurance  research  and  teaching 
activities.  The  grants  should  also  be  designed  to  encourage  recipients  to  continue  their 
academic  careers  in  information  assurance.  Interview  respondents  have  indicated  that 
grants  with  the  following  characteristics  could  act  as  incentives: 

•  Make  a  long-term  commitment  (e.g.,  5  years)  as  the  NSF  CAREER  grants  do 
(see  below)  but  with  more  funding  to  support  a  professor  plus  graduate 
students  for  the  full  term 

•  Provide  first-class  computing  facilities 

•  Support  fundamental  research  without  the  expectation  for  short-term  results 

•  Offer  high  prestige  through  high-level  involvement  with  the  sponsor  and  peer 
review  opportunities  (such  as  a  peer-reviewed  journal  of  information 
assurance) 

•  Include  teaching  requirements  and  incentives  to  help  instructors  convince  their 
universities  to  add  information  assurance  courses  to  course  offerings 

Interview  respondents  and  the  study  group  identified  some  other  programs  that 
could  serve  as  models  of  success  for  efforts  to  increase  the  visibility  and  interest  of 
faculty  in  the  field  of  information  assurance.  These  include  the  following: 

•  Industry-supported  department  chairs.  A  tangible  way  for  industry  to 
participate  in  the  training  of  information  assurance  professionals  is  to  endow 
teaching  positions  at  universities,  both  to  bring  greater  recognition  to 
information  assurance  faculty  and  courses  and  to  form  partnerships  with 
universities. 

•  Faculty  Early  Career  Development  (CAREER).  These  NSF  awards  are 
available  to  beginning  faculty  only.  They  last  4  to  5  years  and  offer  $200,000 
to  $500,000  each.  The  awards  are  designed  to  have  a  lasting  impact  on  the 
awardees’ research  and  teaching  careers.10 

•  Presidential  Early  Career  Awards  for  Scientists  and  Engineers  (PECASE). 
This  prestigious  award  gives  Presidential  recognition  to  outstanding  scientists 


10  “Faculty  Early  Career  Development  (CAREER),”  National  Science  Foundation, 
http://www.nsf.gov/home/crssprgm/career/start.htm.  November  24.  1999. 


9-11 


»itsr4as=aa=sur- 

experts^ ^  ^ 

collective  acfton  to  show  similar  JZ  ^ 

action  may  be  difficult  to  flrhw„  •  8  .  0s’  but  today  such  collective 

professionals  are  scattered  across  mlyTndusffiT' T f^  inf0rmati°n  aSSurance 
able  to  achieve  effective  collaboration.  '  far"reachmg  con*>rtium  may  be 

b.  Foster  an  Interest  in  Teaching 

complete  the  PhD  and  etT *  “““  «"*■*  «ents  to 

graduatioa  Some  ways  in^hT”^  ,0  to  «■  after 

ways  in  which  this  could  be  done  are  listed  below: 

’  md  m0re  “a  fteedom  than  other 

’  '"**  "-1— ; «  Participation  in  face,*  preparation 

*  PhD-  is  not *-  a  *-* 

y  graduate  school  to  pursue  industry  careers 
‘  -  •*  —  degrees  and 

program?:  Zye,:eo7suZre  “  ““  *  of  ctnren, 

*  s^-^ZZZTZTnce^Ma,he^F^- *-* 

casern  “ “  “ 

conferences  and  career  exploration  f°r  traVeI  to  academic 

applied  specifically  to  die  field  of  InformatioZssur^ce!^'  ‘‘aVe  “  ^  if 

oertrne  ofr  an  “armc  _  «  9 


J2  Seftinorvff-  «  - November  24,  1999  ‘™lu<,uon- 

This  tirnoram  in  _ _ _  .  r*  .  . 


- - -  rwaai  pc  second  to  none  ”  — ~“rv/’  ^UL  Amur 

n  i  o 


by  the 


•  Research  Experience  for  Undergraduates  ( REV ):  Another  NSF  project,  this 
program  exposes  undergraduates  to  university  research  through  a  summer 
institute  and  could  inspire  interest  in  information  assurance  academic  careers 
if  specifically  applied. 

c.  Provide  Supplemental  Instructors 

Additional  instructors  and  support  staff  in  information  assurance  are  needed  at  all 
levels.  As  undergraduate  demand  increases,  professors  in  computer  science  carry  an 
increasingly  heavy  teaching  load  that  leaves  them  with  less  time  to  advise  graduate 
students.  In  fact,  according  to  the  Computing  Research  Association  study,  the  number  of 
newly  declared  undergraduate  computer  science  majors  at  research  universities  has  grown 
at  a  rate  of  40  percent  per  year  since  1997.14  Universities  could  be  encouraged  to  use 
supplemental  instructors,  such  as  professors  who  have  retrained  for  information  assurance 
and  adjuncts  from  industry,  to  help  introduce  information  assurance  topics  into  their 
curricula.  Support  staff  could  be  provided  to  assist  with  research-related  tasks. 

•  Use  of  adjuncts.  Interview  respondents  indicated  that  there  is  a  sizeable 
number  of  professionals  in  industry,  government,  and  other  sectors  who  would 
like  to  help  teach  courses  in  universities,  but  university  and  company  policies 
often  prohibit  them  from  doing  so.  If  such  restrictions  were  lifted,  industry 
could  become  a  major  source  of  adjunct  instructors,  especially  in  locations 
where  the  local  IT  industry  is  strong. 

•  Support  staff.  Funding  for  personnel  who  are  responsible  for  performing 
administrative  tasks,  maintaining  laboratory  equipment,  and  teaching 
undergraduate  laboratories  would  help  support  university  education.  These 
personnel  would  give  computer  science  professors  and  graduate  students  more 
time  to  teach,  advise,  and  conduct  research  in  departments  with  increasingly 
heavy  teaching  burdens. 

•  Faculty  Retraining.  This  idea  grows  out  of  a  program  called  Institute  for 
Retraining  in  Computer  Science  (IFRICS)  that  took  place  from  1983  to  1989 
and  similar  programs.  At  IFRICS,  which  was  jointly  sponsored  by  the 
Association  for  Computing  Machinery  (ACM)  and  the  Mathematical 
Association  of  America  (MAA),  mathematics  professors  could  become 
qualified  to  teach  undergraduate  computer  science  courses  through  two 
summers  of  intensive  training.  IFRICS  served  as  a  major  source  of  instructors 
as  the  new  field  of  computer  science  grew  in  the  1980s.  The  IFRICS  model 
could  be  applied  to  information  assurance,  attracting  faculty  from 


14  CRA  Report,  chapter  3. 

9-13 


a  v^Sy  rffi, Z  for",'  A)'h°U8h 

^  °f  **  -b^"”«eX 

computer  sdence  has  develo^SyZa  "s^ 

status  S Trsi“cr  TV ^  ^  ”* ^ «»*— 
m„.  • 71  7  Computer  ScieiK=s  Accreditation  Board,  which  is  being 

erged  mto  the  Accreditation  Board  of  Engineering  and  Technology  (ABET!  hi  / 
each  professor  to  demonstrate  “at  least  a  level  nf  l  ,  ‘  (  U  C£jlS  for 

obtained  through  graduate  working  ,  •  competence  that  would  normally  be 

through  participation  in  a  retraining ZtaZTc  ‘  T”  **  C°"Id  *  ““ 
iushuctors  other  than  full-time  faculty  to  teach  course!!! 

S£T ^andshouidcoveratieas,  70Perce„,of  JLlS 

c.  CURRENT  ACTIVITIES 

private  sector  activities  have  been  ,  ’  government  and 

sr on  ^ 

a  :::z:::,ervkwes  agreed  -  **  d°  - 

1.  Government  Initiatives 

approval  rf“ecabZChd,ef  'pTTr  T™™*"  *  ‘°  <*V»**l 

“  n0table  «•  initiative  !  ^ 

schoiZT in“ge  for!  !ZTem  “i“ ZorZT  ^ 
positions  for  four  years  The  nrocrr^tYi  nnation  security 

y  -the  program  would  support  up  to  300  students  per  year. 


BoardP(CSAB)  of  the  Computing  Sciences  Accreditation 

1996.httBL//www.cSah.orS^criteria96  2.L.  NoTember^T  1  ^99.  ^  ^  ^  ^  June’ 


9-14 


Other  elements  of  the  FCS  education  and  training  initiative  include  the  following: 

•  Office  of  Personnel  Management  (OPM)  occupational  study  to  identify 
training,  certification,  and  personnel  requirements  for  information  systems 
security  occupational  needs  within  the  Federal  Government 

•  Centers  for  Information  Technology  Excellence  (CITE)  to  train,  certify,  and 
retrain  federal  information  security  personnel 

•  High  school  recruitment  and  training  initiative  to  identify  promising  students, 
promote  awareness,  develop  a  Federal  INFOSEC  awareness  curriculum 

•  Federal  INFOSEC  awareness  curriculum  to  ensure  the  entire  Federal 
workforce  is  developing  computer  security  literacy16 

The  National  Security  Agency  recently  initiated  a  high-profile  program  called  the 
National  INFOSEC  Education  and  Training  Program  (NIETP)  to  recognize  universities 
that  offer  significant  research  and  education  programs  in  information  assurance  with  the 
designation  INFOSEC  Center  of  Excellence.  In  order  to  gain  that  recognition, 
universities  must  meet  the  curriculum  standards  that  are  used  for  the  training  of  federal 
INFOSEC  professionals.17  Seven  universities,  listed  below,  have  qualified  for  the 
designation: 

•  James  Madison  University 

•  George  Mason  University 

•  Idaho  State  University 

•  Iowa  State  University 

•  Purdue  University 

•  University  of  California  at  Davis 

•  University  of  Idaho 

Other  government  organizations  involved  in  activities  related  to  information 
security  education  and  training  include  the  following: 

•  National  Security  Telecommunications  and  Information  Systems  Security 
Commission  (NSTISSC).  Develops  curriculum  and  training  standards  for 


16  National  Plan  for  Information  Systems  Protection,  Executive  Summary,  The  White  House,  pp.28-29, 
http://ww.whitehouse.gov/WH/EOP/NSC/html/documents/musp-execsunmiary-000105.pdf. 

January  7, 2000. 

17  “Centers  of  Academic  Excellence  in  Information  Assurance  Education,”  NSA  INFOSEC  Page, 
http://www.nsa.gov:8080/isso/programs/coeiae/index.htm.  November  17, 1999. 

9-15 


federal  information  security  personnel  and  serves  as  a  national-level  forum  for 
training  issues.  Also  participates  in  a  government-private  industiy  efforts  to 
establish  training  guidelines  and  standards  and  to  promote  sharing  of 
information  among  all  federal  agencies.  ^ 

•  National  Science  Foundation  (NSF).  Executes  a  variety  of  programs  related 
to  research  and  education,  including  summer  salaiy  for  investigators,  support 
or  graduate  assistants,  travel,  and  equipment.  Received  $18.4  million  of  the 
$485.2  million  in  the  FY2000  Federal  Critical  Infrastructure  Protection 
Research  and  Development  budget,^  but  these  funds  went  to  existing 
initiatives  related  to  infrastructure  protection  rather  than  to  introduce  new 
information  security  programs. 

•  Department  of  Defense  (DoD).  DoD  places  particular  emphasis  on  training  its 
workforce.  For  instance,  each  service  plus  the  NSA,  DIA,  and  DISA  provide 

a,  .1.  range  of  information  security  courses  to  their  system  and  network 
a  mimstrators.  All  these  plus  the  Defense  Logistics  Agency  (DLA)  provide 
information  security  training  for  Information  Systems  Security  Managers  and 
Information  Systems  Security  Officers.20  Still,  DoD  is  increasingly  concerned 
about  the  size,  quality,  readiness,  and  retention  of  its  information  security 
workforce,  both  civilian  and  militaiy.  In  September,  1998,  an  Information 
Assurance  and  Information  Technology  Human  Resources  Integrated  Process 
l  earn  was  commissioned  to  recommend  mechanisms  to  achieve  and  sustain 

cnhcal  informahon  security  and  information  technology  management  skill  sets 
m  the  Department. 

Nava1  Postgraduate  School.  Offers  program  of  information  security  education 
and  research  leading  to  master’s  and  Ph.D.  degrees  for  officer-students.2 1 


18 


19 


20 


21 


g  yg- — -» 


9-16 


2.  Private  Sector  Activities 

Some  examples  of  organizations  outside  the  government  that  are  working  to 
address  information  assurance  educational  and  professional  needs  include  the  following: 

•  National  Colloquium  for  Information  Systems  Security  Education  (NCISSE). 
Created  in  1997,  NCISSE  provides  a  forum  for  leading  figures  in  government, 
industry,  and  academia  to  work  in  partnership  to  define  current  and  emerging 
requirements  for  information  systems  security  education.  One  goal  of  the 
Colloquium  is  to  influence  and  encourage  the  development  of  information 
security  curricula,  especially  at  the  graduate  and  undergraduate  levels.  The 
Colloquium  web  sites  currently  contain  course  materials  on  Ethics  in 
Computing,  Risk  Management,  and  Malicious  Logic.22 

•  International  Information  Systems  Security  Certification  Consortium  ([ISC]  ). 
The  (ISC)2  is  an  international  organization  dedicated  to  the  certification  of 
information  systems  security  professionals  and  practitioners.  (ISC)  2  grants 
the  “Certified  Information  Systems  Security  Practitioner”  (CISSP) 
certification  to  qualified  individuals.  Candidates  are  required  to  pass  an 
examination  and  subscribe  to  the  (ISC) 2  code  of  ethics.23 

•  Information  Systems  Security  Association.  International  organization  of 
information  security  professionals  and  practitioners.  Provides  education 
forums,  publications  and  peer  interaction  opportunities  that  enhance  the 
knowledge,  skill  and  professional  growth  of  its  members.24 

•  Purdue  University  Center  for  Education  and  Research  in  Information 
Assurance  and  Security  (CERIAS).  Center  for  education  and  research  in 
Information  Assurance  and  Security,  with  activities  ranging  from 
multidisciplinary  research  with  industry  sponsors  to  training  of  specialists  to 
public  outreach  25 

•  James  Madison  University.  Offers  a  master’s  program  with  concentration  in 
information  security  that  is  administered  over  the  Internet 26 


22  National  Colloquium  for  Information  Systems  Security  Education,  http://wvyw.infosec.imu.edu/ncisse. 
November  23,  1999. 

23  International  Information  Systems  Security  Certification  Consortium,  http://www.isc2.org.  November 
23, 1999. 

24  Information  Systems  Security  Association,  http://www.issa.org.  November  23,  1 999. 

25  “Center  for  Education  and  Research  in  Information  Assurance  and  Security,”  Purdue  University, 
www.cerias.purdue.edu.  November  23,  1999. 

26  “Information  Security  Program  at  James  Madison  University,”  James  Madison  University, 
www.infosec.imu.edu.  December  3,  1999. 

9-17 


*  Offers  on'.tey 

3.  Functional  Gaps 

the  ide„«rdn“  being  petfood  and 

need  to  increase  the  size  and  scope  of  each  of  rt,  .  01mat,0n  assurance.  First,  there  is  a 
considerable  number  of  roles  remain  to  be  fiV™8™”^"1*1  SeC°nd'  3 
assessment  of  die  adequacy  of  existing  activities.  '  Pr°VideS  3  SWmmy 

D-  THE  ROLE  OF  the  I3P 

experts  agree  that  action  must  be  JL  to  ^T  T  W°rkf°r<*-  *““«* 

t.onotagmediat^P^bestmgani.ati 

require  few  additional  r^omces  Z  ‘  eX6CUtion  ofthe  I3P’S  ^search  or 

activities,  including  the  following:'  We"  POSitio,Kd  to  P “™e  such 

Peer  review  oppoStes°  teaeWne^/20"^  With  long",erm  eommitments, 
to  intoste^iso^^^^^  Products  and  findings 

information  assurance  professional,  T’^  develoPln*  cuniculum,  certifying 
students  Indeed,  “P  -  «,owship  supp„„  ** 

its  unique  relationships  with  indusuy  and  govern^n^d  t ^  ‘h”'*0"8  b<iCaUSe  °f 

areas  of  R&D,  infomtation  sharing  and  nr^  .  ^  d  ,ts  01>«om8  activities  in  the 

the  I3P  in  education  and  Paining  was  most  f™”  eValUation-  StU1-  «he  role  of 

training  was  most  commonly  described  as  bringing  attention  to 


27 


AFCEA  International,” 
December  3,  1999. 


Armed  Forces 


Communications  and  Electronics  Association, 


9-18 


the  needs  or  coordinating  a  sustainable  effort  among  many  players,  including  government, 
industry,  and  academia. 


Table  9-3.  Assessment  of  Existing  Education  and  Training  Activities 


Task 

Existing  Activities 

Assessment 

I3P  Role 

Increase  Number  of  Information  Assurance  Professionals 

Scholarships 

Scholarships  for  Sen/ice 

Require  gov’t  service, 

Co-sponsor  private 

proposal 

not  yet  approved 

sector  scholarships 

Curriculum  development 

NCISSE 

NCISSE  new,  NSTISSC 

Provide  research 

NSTISSC 

for  government  needs, 

support,  sponsor 
workshops 

Accreditation  of  college 

ABET  will  soon  oversee 

May  expand  coverage, 

Encourage  accreditors 

and  university  programs 

all  computer-related 

potentially  including 

to  include  information 

programs 

information  assurance 

assurance 

Program  Recognition 

NSA-NIETP 

Recognition  but  few 
financial  awards 

Encourage  and  support 

Accreditation  or  training 

NSTISSC 

Essentially  no  accepted 

Support  development  of 

standards  for  non- 

standards  outside 

standards 

degree  programs 

government 

Certification  of  IA 

(ISC)2 

Must  adapt  quickly  to 

Support  ongoing 

professionals 

changing  needs 

certification  efforts 

Development  as  a 

(ISC)2 

Need  for  more  honors, 

Collaborate  on  body  of 

profession 

ISSA 

discussion  of  licensing 

knowledge,  licensing 

issues 

issues 

Industry  consortia  to 

None  identified 

Should  include  training 

Help  bring  industry 

further  information 

forum  and  Ph.D.  hiring 

together 

assurance  education 

restraints 

Occupational  studies 

OPM 

Only  for  government 

Conduct  studies 

Establish  Pool  of  Qualified  Instructors 

Graduate  student 

NSF 

Lack  information 

Co-sponsor  suitable 

support 

assurance  fellowships 
with  specific  teaching 
incentives 

fellowships 

Research  grants 

DARPA 

Some  lack  long-term 

Shape  own  research 

NSA 

commitment,  teaching 

grants  to  help  retain 

requirement,  and  peer 

professors 

NSF 

review  opportunities 

Foster  interest  in 

None  identified 

None  identified 

Promote  awareness, 

teaching 

.. 

encourage,  support 

Endowed  chairs  in 

None  identified 

None  identified 

Help  get  industry 

information  assurance 

involved 

Faculty  retraining 

None  identified 

None  identified 

Promote  awareness, 
encourage,  support 

Liberalize  use  of  adjunct 

None  identified 

Limited  by  school  and 

Promote  awareness, 

faculty 

company  policy 

encourage,  support 

Increase  support  staff 

None  identified 

None  identified 

Add  to  research  grants 

9-19 


Therefore,  it  is  reasonable  to  conclude  that  the  I3P  should  work  primarily  to 
identify  and  support  the  outside  organizations  that  are  best  qualified  to  perform  the 
education  and  training  tasks  identified.  For  instance,  professional  societies  may  have 
unique  credibility  among  educators  for  developing  curricula.  Independent  certification 
bodies  traditionally  perform  professional  certification.  Financial  support  for  students 
could  come  from  any  number  of  organizations  in  government  or  industry. 

An  appropriate  way  for  the  I3P  to  cany  out  its  role  is  to  monitor  carefully  the 
progress  of  outside  organizations  in  addressing  workforce  needs.  In  order  to  do  this 
effectively,  the  I3P  will  likely  need  to  develop  improved  methods  for  collecting  IT 
workforce  data.  As  the  CRA  study  reports,  federal  IT  personnel  data  is  outdated  and  has 
classification  problems  while  industiy  data  is  often  incomplete.28  The  I3P  is  well 
qualified,  through  its  information  sharing  function,  to  collect  and  sanitize  data  on  the 
information  assurance  workforce,  assess  educational  needs,  and  identify  training  gaps. 

As  needs  and  gaps  are  identified,  the  I3P  should  resist  the  temptation  to  fill  the 
gaps  with  its  own  programs.  Instead,  it  should  work  to  increase  the  size  and  scope  of 
existmg  activities  and  create  partnerships  with  organizations  that  can  most  effectively 
address  the  problems.  The  I3P  should  offer  its  these  organizations  all  the  expertise, 
resources,  and  incentives  available,  including  the  benefit  of  its  ongoing  activities  in 
research  and  development,  product  and  services  evaluation,  and  information  sharing. 
Some  examples  of  tasks  that  build  on  these  ongoing  activities  are  listed  in  table  9-4. 


Table  9-4.  Tasks  and  Related  I3P  Activities 


Task 

Related  I3P  Activity 

Workforce  monitoring,  development  of  new  data  collection 
methods  if  needed 

Graduate  student  support 

Research  grants  to  university  professors 

Funding  for  support  staff 

Curriculum  development 

Accreditation  of  college  and  university  programs 

Accreditation  or  standards  for  non-degree  programs 

Certification  of  IA  professionals 

Training  consortium 

Research  and  Development, 

Information  Sharing 

Research  and  Development 

Research  and  Development 

Research  and  Development 

Research  and  Development 

Product  and  Services  Evaluation 

Product  and  Services  Evaluation 

Product  and  Services  Evaluation 

Information  Sharing 

28  CRA  Report,  chapter  1 0. 


9-20 


Because  of  the  experts’  agreement  over  the  importance  of  addressing  these 
education  and  training  needs,  the  I3P  should  consider  building  its  own  capabilities  to 
perform  some  of  the  critical  functions  should  outside  organizations  become  unwilling  or 
unable  to  do  so. 

Figure  9-1  summarizes  the  I3P’s  role  in  education  and  training. 


Promote  the  education  and  training  of  the  practitioners,  educators,  and  researchers  needed  to  provide 
information  assurance  for  the  critical  infrastructure  sectors: 

•  Monitor  the  ability  of  existing  programs  to  meet  workforce  requirements 

•  Address  shortfalls  through  partnerships  with  outside  organizations  or  I3P  activities 

•  Link  the  l3P's  activities  in  other  areas  to  education  and  training  needs: 

Speed  the  flow  of  the  I3P  research  results  to  interested  educational  and  professional 
organizations 

Tailor  sponsored  research  projects  to  support  objective  of  increasing  number  of  information 
assurance  teachers  and  researchers 

-  Use  intramural  and  extramural  hiring  and  intern  policies  to  attract  bright  people  to  the 
information  assurance  field 

Figure  9-1.  The  l3P’s  Roie  in  Education  and  Training 
E.  OPERATIONAL  MODELS 

The  National  Institutes  of  Health  (NIH)  may  serve  as  a  useful  model  for  designing 
the  I3P.  The  NIH  is  a  national,  mission-oriented  research  organization  that  participates 
actively  in  supporting  education  and  training  activities.  Mechanisms  it  has  developed 
may  well  prove  relevant  for  information  assurance. 

The  NIH  mission  is  to  uncover  new  knowledge  that  will  lead  to  better  health  for 
everyone.  Some  of  the  education  and  training  activities  that  NIH  performs  are  analogous 
to  those  proposed  for  the  I3P,  for  example: 

•  Long-term  research  grants  (averaging  four  years)  for  university  faculty 

•  Graduate  student  support,  some  with  incentives  to  complete  the  Ph.D. 

•  Workshops  that  bring  researchers  together  to  solve  problems 

•  Curriculum  development 

NIH  sets  education  priorities  in  a  deliberative  manner.  At  NIH,  the  Director  of 
each  institute  is  responsible  for  evaluating  the  opinions  of  numerous  advisory  groups. 
These  include  (but  are  not  limited  to)  Congress,  the  administration,  other  federal 
agencies,  patient  organizations,  and  national  advisory  councils  that  evaluate  trans-NIH 

9-21 


activities  and  recommend  policy  and  budget  directions.  There  is  also  ample  opportunity 
for  public  input  and  oversight  of  activities. 

NIH  works  cooperatively  with  other  educational  organizations,  especially  the 
National  Science  Foundation.  NIH  funds  some  education  programs  jointly  with  the  NSF 
and  operates  others  that  are  explicitly  modeled  after  NSF  programs.29  It  also  conducts  its 
own  initiatives.  The  proposed  I3P  might  operate  in  a  similar  way,  cooperating  with  NSF 

in  cases  of  common  interests  but  sponsoring  its  own  programs  to  achieve  objectives 
specific  to  information  assurance. 

In  supporting  education  and  training,  the  experts  indicated,  the  I3P  should  follow 
the  Centers  of  Excellence  approach.  For  example,  in  two  existing  initiatives  NSA’s 
NIETP  program  and  the  proposed  Federal  Cyber  Services  education  and  training 
initiative,  efforts  are  first  concentrated  at  a  limited  number  of  institutions  that  have 
demonstrated  significant  information  assurance  activity.  Rather  than  attempting  to 
support  activities  at  every  institution,  the  I3P  should  first  focus  on  centers  of  excellence 
where  programs  can  be  developed  and  tested.  Then,  efforts  can  be  expanded  to  the  wider 
community  through  the  centers. 


Setting  Research  Priorities  at  the  National  Institutes  of  Health  ” 
www.nih.gov/news/ResPrioritv/Drioritv.htm  November  12,  1999. 


National  Institutes  of  Health, 


9-22 


Part  IV 

Toward  an  Institute  for  Information  Infrastructure  Protection 


Chapter  10 

EVALUATION  OF  ALTERNATIVE  STRUCTURES 

The  preceding  chapters  describe  growing  concerns  among  informed  experts  over 
the  vulnerabilities  in  the  nation’s  information  infrastructures  and  outline  the  R&D  and 
related  functions  they  propose  to  better  understand  and  address  these  vulnerabilities.  Our 
interviews  and  workshops  revealed  widespread  support  for  action. 

We  found  mixed  views  among  the  experts,  however,  regarding  which 
organization  is  best  suited  to  perform  the  needed  new  functions.  On  one  hand,  many 
experts  cite  the  wealth  of  activities  that  have  already  begun  to  address  vulnerabilities  in 
several  infrastructure  sectors,  and  question  whether  any  new  organization  is  needed.  On 
the  other  hand,  there  is  broad  agreement  that  none  of  the  existing  organizations  is  focused 
primarily  on  information  infrastructure  protection  or  positioned  to  integrate  activities 
across  the  full  range  of  infrastructures,  technologies,  and  functions  that  need  to  be 
addressed.  On  balance,  there  is  a  broadly  recognized  need  for  a  new  organization — 
provided  it  can  be  structured  to  perform  this  ambitious  mission  effectively. 

This  chapter  examines  several  potentially  effective  organizational  approaches. 
We  evaluate  the  PCAST’s  proposed  laboratory,  along  with  three  alternatives  that  were 
proposed  in  the  course  of  this  study:  (1)  a  programmatic  initiative  by  the  government  that 
would  create  no  new  organizations,  (2)  a  new  mission-focused  government  agency,  and 
(3)  a  consortium  of  private  sector  firms  or  universities.  We  assess  each  of  these 
alternatives  and  explain  why  an  organization  similar  to  the  laboratory  proposed  by  the 
PCAST  holds  the  greatest  promise  of  success. 

In  weighing  these  alternative  structures  we  have  focused  on  the  fact  that  the 
information  infrastructure  is  owned  primarily  by  the  private  sector.  Infrastructure  owners 
and  operators  are  ultimately  responsible  for  correcting  security  deficiencies.  Industry  also 
retains  the  rights  to  the  information  that  is  essential  for  identifying  and  assessing 
infrastructure  vulnerabilities.  Extensive  industry  participation  is  therefore  needed  to 
provide  an  understanding  of  real  world  vulnerabilities  and  to  disseminate  vulnerability 
awareness  information,  R&D  results,  and  other  information  to  a  wide  array  of 
infrastructure  builders,  owners,  and  operators.  The  task  at  hand  requires  an  organization 


10-1 


that  can  respond  to  government  needs  and  influence  government  programs  while 
remaining  closely  linked  to  industry. 

Our  review  began  with  the  PCAST's  proposed  laboratoiy,  which  is  described  in 
chapter  1 .  We  found  hroad  support  for  the  basic  mission  outlined  in  the  PCAST  proposal 
In  the  course  of  our  interviews  and  workshops,  however,  participants  suggested 
modificauons  to  enhance  the  viability  of  the  PCAST's  concept.  These  changes  entailed 
increasing  the  emphasis  on  industry  leadership  and  involvement,  focusing  R&D  and 
related  functions  more  tightly  on  areas  not  addressed  by  indusby  and  government,  and 
muting  the  new  entity  to  a  small  core  staff  combined  with  a  strong  external  program 
We  refer  to  the  modified  proposal  as  The  Institute  for  Information  Infrastructure 
Protection  (“  I3P”).  The  DP  forms  the  benchmark  for  our  assessment  of  alternatives. 

In  brief,  the  I3P  would  take  the  form  of  a  private,  not-for-profit  organization  with 

a  senior  pnvate-sector  board  of  directors.  (A  detailed  concept  of  operations  is  presented 

m  chapter  11.)  It  would  interact  extensively  with  private  firms  in  both  shaping  and 

executing  its  program.  At  the  same  time,  the  I3P  would  receive  government  funds  and 

would  be  chartered  to  support  and  coordinate  with  ongoing  government  activities.  Some 

of  its  tasks  would  support  the  OSTP's  Critical  Infrastmcture  Protection  Interagency 

Working  Group  and  die  NSC's  National  Critical  Infrastructure  Protection  Coordinator  in 

strategy  development  and  planning.  A  relatively  small  in-house  staff  would  focus  on 

leadership,  planning,  resource  allocation  and  coordination.  A  small  amount  of  the  DP's 

functional  work  would  be  done  in-house,  but  most  would  be  contracted  for  and  executed 
externally. 

The  remainder  of  this  chapter  describes  the  I3P  and  each  of  the  three  broad 
alternatives  to  the  BP  that  we  considered  in  the  review.  We  will  then  summarize  our 
assessment  of  the  strengths  and  weaknesses  of  these  alternatives  versus  the  proposed  I3P. 

A.  PROGRAMMATIC  INITIATIVE 

One  alternative  is  to  increase  the  funding  and  range  of  functions  performed  by 
existing  government  organizations.  Organizations  that  are  already  involved  in  conducting 
or  sponsoring  information  assurance  research  or  that  have  some  responsibility  for 
infrastructure  protection  would  execute  the  enhanced  program.  Existing  government 
mechanisms  would  be  used  to  coordinate  across  these  activities.  This  would  be  similar  to 
many  other  government-wide  programmatic  initiatives,  where  a  new  program  is 


10-2 


coordinated  through  existing  organizations.  Examples  in  the  information  technology  area 
include  High-Performance  Computing  and  the  Next  Generation  Internet. 

In  exploring  this  approach,  we  identified  and  assessed  ongoing  activities  that 
might  assume  the  needed  new  functions. 

1.  Coordination  Activities 

Two  examples  of  existing  mechanisms  illustrate  how  a  programmatic  initiative  on 
information  infrastructure  protection  research  might  be  coordinated. 

The  Critical  Infrastructure  Protection  Interagency  Working  Group  (CIP-IWG). 
The  CIP-IWG  is  the  activity  that  is  currently  responsible  for  coordinating  federal  R&D 
for  infrastructure  protection.  The  group  is  examining  R&D  options  across  several  private 
infrastructure  sectors,  including  Banking/Finance,  Information  and  Communications, 
Energy,  Transportation,  and  Vital  Human  Services,  identifying  high  priority  cross-cutting 
common  needs  and  sponsoring  R&D  workshops.  The  CIP-IWG  was  formed  by  the 
Executive  Office  of  the  President,  is  chaired  by  the  Office  of  Science  and  Technology 
Policy,  and  has  representatives  from  the  key  R&D  programs  across  the  government. 

The  CIP-IWG  is  responsible  for: 

•  Monitoring  and  coordinating  ongoing  and  planned  government  R&D 

•  Fostering  conditions  for  developing  a  close  R&D  partnership  with  the  private 
sector,  academia  and  international  groups 

•  Facilitating  transfer  of  technology  from  government  agencies  to  the  private 
sector 

The  CIP-IWG  could  be  expanded  to  coordinate  programs  addressing  all  four  of 
the  functional  areas  outlined  in  Part  III.  One  major  shortcoming  of  this  approach  is  that  it 
provides  a  weak  mechanism  for  integrating  across  programs  and  functions.  There  is  no 
permanent  staff,  so  only  limited  resources  are  available  to  it.  In  addition,  the  working 
group  has  had  relatively  limited  interaction  with  industry  because  it  has  focused  primarily 
on  coordinating  government  programs. 

National  Coordinating  Office  for  Computing,  Information,  and  Communications 
R&D  (NCO-CIC).  A  second  government  coordinating  activity  is  the  NCO-CIC,  which 
provides  a  more  substantial  coordinating  structure  than  does  the  CIP-IWG.  The  NCO-CIC 
has  a  small  permanent  staff  and  established  ties  with  industry  executives.  It  reports  to  the 


10-3 


GST?  has  representatives  from  12  agencies.  It  is  currently  coordinating  R&D 
programs  in  the  following  areas: 

•  High  End  Computing  and  Computation  Working  Group  (HECC) 

•  Large-Scale  Networking  Working  Group  (LSN),  and  Next  Generation  Internet 
Initiative  (NGI) 

•  High  Confidence  Systems  Working  Group  (HCS) 

•  Human  Centered  Systems  Working  Group  (HuCS) 

•  Education,  Training,  and  Human  Resources  Working  Group  (ETHR) 

•  Federal  Information  Services  and  Applications  Council  (FISAC) 

The  NCO-CIC  also  supports  the  President’s  Information  Technology  Advisoiy 

Committee  (PITAC),  which  comprises  26  academic  and  industiy  leaders  charged  with 

providing  an  independent  assessment  of  the  federal  government’s  role  in  information 
technology  R&D. 

The  NCO  could  coordinate  a  program  for  information  infrastructure  protection 
research  in  parallel  with  its  ongoing  activities.  The  functions  extend  beyond  the  NCO’s 
usual  focus  on  R&D,  but  the  staff  could  be  beefed  up  to  handle  the  needed  coordination 
activities.  Establishing  a  permanent  information  infrastructure  protection  research 
program  under  the  NCO  would,  in  the  view  of  many  IDA  workshop  participants,  be  the 
best  way  to  implement  a  programmatic  initiative.  (Note  that  this  option  differs  from  the 
establishment  of  a  governmental  mission-focused  activity,  as  described  in  a  subsequent 

section,  in  that  the  NCO  would  remain  a  coordinating  activity  that  does  not  have  direct 
control  over  budgets.) 

2.  Functional  Activities 

Under  the  programmatic  initiative,  functional  roles  would  be  assigned  to 
organizations  that  are  already  performing  similar  functions.  The  leading  candidates  in 
each  functional  area  are  described  in  Chapters  6  through  9  and  are  recapped  briefly  in  the 
following  paragraphs.  It  is  important  to  note  that  none  of  these  activities  spans  all  of  the 
functional  areas,  so  integration  across  functions  would  have  to  be  accomplished  through  a 
coordinating  mechanism,  such  as  the  NCO. 

R&D  Functional  Activities.  As  described  in  chapter  6.  the  primary  agencies 
funding  related  R&D  include  the  National  Security  Agency,  the  Defense  Advanced 
Research  Projects  Agency,  the  National  Institutes  of  Standards  and  Technology,  and  the 


10-4 


National  Science  Foundation.  The  span  of  program  coverage  and  management  styles 
varies  significantly  across  these  agencies.  Basing  the  information  infrastructure 
protection  R&D  function  within  these  organizations  would  be  challenging  to  their 
cultures,  because  it  requires  a  long-term  programmatic  focus,  emphasis  on  technology 
deployment,  and  coverage  across  many  disciplines  and  economic  sectors.  Many  experts 
believe  these  existing  programs  are  therefore  unsuited  for  the  information  infrastructure 
protection  R&D  function. 

Information  Sharing  Activities.  Responsibility  for  information  sharing  could  be 
assigned  to  the  existing  activities  described  in  chapter  7.  Prime  candidates  include  the 
National  Infrastructure  Protection  Center  or  the  National  Security  Telecommunication 
Advisory  Committee's  National  Security  Information  Exchange.  Information  sharing 
responsibilities  could  also  be  assigned  to  the  Computer  Emergency  Response  Teams.  As 
explained  in  chapter  7,  these  activities  focus  primarily  on  operational  matters,  and 
therefore  do  not  deal  with  the  longer-term  information  required  for  research  and 
development.  None  of  these  activities  is  positioned  to  exchange  the  kinds  of  information 
outlined  in  chapter  7,  and  under  this  structure  they  may  not  be  able  to  share  it  with  the 
necessary  research  and  development  activities  or  to  protect  it  from  disclosure  in  a  way 
that  satisfies  private  sector  needs. 

Product  and  Services  Evaluation.  As  described  in  chapter  8,  the  National  Security 
Agency,  the  National  Institute  for  Standards  and  Technology,  and  the  National 
Information  Assurance  Partnership  (NIAP)  have  the  lead  government  responsibility  for 
establishing  and  implementing  product  and  service  evaluation  technologies  and  methods. 
The  concept  of  the  NIAP  provides  an  effective  framework  for  product  and  service 
evaluation.  This  responsibility  would  be  retained  under  all  models  discussed.  In  the 
programmatic  initiative,  this  presents  the  coordination  activity  with  the  challenge  of 
ensuring  that  effective  ties  are  forged  between  R&D  activities  and  the  NIAP. 

Education  and  Training.  The  lead  candidate  for  this  functional  area  under  a 
programmatic  initiative,  described  in  chapter  9,  is  the  National  Science  Foundation.  As 
with  the  product  and  services  evaluation  function,  the  challenge  is  to  ensure  effective 
cross-functional  linkages,  in  this  case  between  the  research  and  educational  communities. 

3.  Assessment 

A  programmatic  initiative  is  a  possible  mechanism  for  performing  the  needed 
functions.  This  option  has  been  discussed  extensively,  and  it  has  received  considerable 


10-5 


support  from  many  experts  within  the  government  as  well  **  * 
academia.  It  has  the  advantage  of  being  relaf  i  ’  fr°m  S°me  m  lndustl^  ^ 

other  options,  but,  as  noted  above  and  d*  Tif  t0  implement  comPared  with  the 
for  integrating  across  activities  and  fimctbns886  3  KbMy  Weak  structure 

related  infonnation  i^^^p“^,'^Pro8™,”a,iC  ini,ia,ive  is:D°  <he  four 
need  to  be  consolidated  in  a  single  intearat  H  h  ,1  ”  dlSCUSSed  m  the  Preceding  section 
could  they  be  perforated  just  as  effectively  if  °  \  reSP0”Slble  for  a"  four  functions,  or 
the  latter  scheme,  testing  and  evaluation,  for  the“  ”depen<tal,I>'? 

Information  Assurance  Partnership  while  own  C°U  C  managed  ^  ^  National 
each  in  different  manag“!T ^  ^  *  NSF  « 

cognizance  of  different  congressional  committees.  TO,?"''6  “d  "** 

being  relatively  easy  to  get  started-  u  PProach  has  the  advantage  of 

workshops  and  interviews  that  a  single  urifeT’  *“  8aieral  agreemem  duri°8 
critically  important,  overarching ^  *°  *  created  <°  Perfonn  tire 

the  functions  enable  and  draw  strength  from  flmCt'°m-  1,1  taP°rtant  ways, 

initiative,  therefore,  is  not  considered  an  eff  ,  °'  A  C00rdinated  Programmatic 

integration;  a  single,  real  organization  is  required.™  ^  **  “eded  degree  of 

described?!;::  r “r  inft~ 

create  a  new  organization  are  Research  and:?  *  drfVe  rCquirement  to 

Perhaps  the  most  fimdamental  misgiving  with  then  Pmen‘-and  .'nf°™ation  Sharin8- 

sense  that  budgeting  and  control  processes  force  r08rammatlc  mniat,ve  was  the  general 
slowly  to  keep  up  with  a  ranidlv  rh  •  •  g0vemment  Pr°grams  to  react  much  too 

-as,  a  strong  cLlL^S^Tf  "  enV~ 

heepupwifeei.erfeepaceordemandofr:?r;“rd  ^  "  *  * 

as  part  of  a  programmatfein:??™  ^  8°Vemmen,>  whelher 

would  be  likely  to  meet  with  sub!n!  ind  1  ”  *  "  8°V~  ^ization, 

infonnation  i,  may  share  worries  tita,  any 

inteihgence  and  law  enforcement  agencies  or  (through  ^ 

to  commercial  competitors  One  of  thru  +u  •  §  ^  requests)  become  available 

unwillingness  to  sLre  !p!!  inf“e;S  ‘°  ~ '°  has  been  tndusny 

with  the  government  or  competit!  (especially  concerning  vulnerabilities) 


10-6 


A  programmatic  initiative  may  also  be  read  as  a  sign  of  weak  government 
commitment.  A  constant  refrain  in  interviews  and  workshops  was  industry  frustration 
with  the  nebulous  and  disorganized  character  of  government  programs.  Even  when 
industry  wants  to  cooperate  with  government,  the  appropriate  government  entity  with 
which  to  cooperate  is  not  always  clear.  Moreover,  programmatic  initiatives  often  start  out 
energetically  but  tend  to  fade  as  administrations  and  “crises  du  jour”  change,  and 
government  efforts  to  date  have  not  fostered  confidence  that  existing  activities  are  up  to 
the  job. 

Strong  integration  capability  is  needed,  but  no  single  organization  within 
government  “owns”  the  problem  and  has  the  breadth  of  vision  to  tackle  its  complexity  or 
even  to  understand  what  is  already  being  done.  An  interagency  coordination  mechanism 
such  as  the  NCO  would  be  a  significant  improvement  over  the  current  CIP-IWG 
framework,  but  it  still  could  not  solve  the  ownership  issue.  Further,  the  agency  most 
likely  to  take  the  lead  in  such  an  initiative— the  Department  of  Commerce — is  perceived 
as  too  weak  in  the  interagency  process  to  be  a  reliable  steward  of  information  assurance 
in  the  interagency  process.  But  the  agency  with  the  most  institutional  clout  and 
experience  promoting  and  executing  such  initiatives — the  Department  of  Defense — 
would  automatically  arouse  suspicions  of  pursuing  its  own  agenda  at  the  expense  of 
commercial  needs.  In  general,  there  is  concern  that  a  programmatic  initiative  might  focus 
on  individual  government  agency  requirements  rather  than  tackling  the  needs  and 
concerns  of  industry  to  the  degree  that  will  be  required  here. 

Of  the  four  organizational  options,  the  programmatic  initiative  poses  the  fewest 
management  hurdles  to  slow,  or  potentially  block,  progress.  It  offers  the  easiest,  quickest, 
and  lowest  start-up  cost  and  presents  the  fewest  potential  legal  and  regulatory 
complications.  However,  the  very  simplicity  and  economy  of  such  an  approach  is  viewed 
by  many  as  a  signal  of  a  continued  lack  of  real  commitment.  A  government  response 
limited  to  a  programmatic  initiative,  therefore,  is  viewed  as  unlikely  even  to  get 
industry’s  attention,  much  less  its  cooperation.  As  detailed  above,  those  interviewed  saw 
this  as  the  weakest  option  from  a  functional  perspective.  Perhaps  its  most  important 
disadvantage  is  the  perception  that  such  a  programmatic  initiative,  lacking  a  centralizing 
and  guiding  advocate,  would  remain  unfocused  and  stove-piped  and  would  contribute 
little  to  the  ultimate  goal  of  integrating  a  national  information  assurance  agenda  across 
disciplines  and  sectors. 


10-7 


B.  MISSION-FOCUSED  GOVERNMENT  ACTIVITY 

A  second  option  is  to  consolidate  ongoing  information  infrastructure  protection 
R&D  activities  and  the  three  closely  related  functional  areas  (information  sharing, 
fostering  product  and  services  evaluation,  and  sponsoring  education  and  training)  into  a 
new  government  activity  focused  on  the  information  infrastructure  protection  challenge. 
This  is  a  natural  alternative  to  consider:  The  government  (as  does  any  institution)  often 
creates  new  organizations  to  address  important  challenges,  employing  organizational 
approaches  tailored  to  suit  the  scope  of  the  problem. 

1.  Examples 

The  following  examples  illustrate  how  this  approach  has  been  used  in  the  past. 
They  range  from  establishing  a  new  agency,  to  establishing  a  programmatic  office,  to 
establishing  a  federated  activity  among  existing  organizations. 

Agency  (NASA,  NIH,  FEMA).  The  creation  of  NASA  represents  a  well-known 
historical  example  of  this  approach.  NASA  consolidated  ongoing  activities,  and  brought 
greater  focus  and  resources  to  space  exploration  and  related  activities.  The  National 
Institutes  of  Health  is  another  good  example  of  a  mission-focused  R&D  activity.  Over 
the  years,  various  aspects  of  biological  and  health-related  R&D  have  been  deemed  to  be 
of  sufficient  scope  and  importance  to  warrant  federal  funding  of  research  by  Ph.D 
specialists  as  well  as  physicians  in  a  facility  near  the  seat  of  government.  An  example  of 
a  very  different  nature  is  the  creation  of  the  Federal  Emergency  Management  Agency.  It 
has  consolidated  a  range  of  emergency  response  responsibilities  from  across  the  federal 
government,  and  it  coordinates  a  range  of  additional  activities  that  remain  within 
responsible  agencies. 

Office  (Drug  Enforcement  Office  and  the  Y2K  Office).  The  creation  of  a  mission- 
focused  office,  with  some  funding  authority,  provides  a  smaller-scale  alternative  to  the 
creation  of  a  new  agency.  One  example  is  the  Office  of  National  Drug  Control  Policy. 
This  office  is  part  of  the  Executive  Office  of  the  President.  It  can  fund  research  and 
development,  and  other  functions.  In  addition,  it  has  review  authority  over  the  budgets  of 
other  federal  agencies  with  programs  relating  to  the  counter-drug  mission.  Another,  more 
recent,  example  of  this  approach  was  the  creation  of  the  Information  Coordination  Center 
of  the  President’s  Council  on  Year-2000  Conversion  to  provide  a  coordinated  federal 
approach  to  prepare  information  systems  and  to  develop  contingency  responses.  The 
office  is  credited  with  meeting  the  complexity  of  the  Y2K  IT  challenge  by  inspiring 


10-8 


pubic-private  cooperation.  This  activity  has  budgetary  authority  for  addressing  the 
mission,  and  it  has  allocated  resources  to  agencies  to  address  their  problems. 

Federated  Activity.  Finally,  a  third  and  weaker  variant  of  the  mission-oriented 
activity  is  the  creation  of  a  “federated”  activity  to  provide  a  virtual  integration  of 
programs  across  existing  organizations.  For  example,  a  Federated  Laboratory  Model  has 
been  developed  at  the  Army  Research  Lab  (ARL).  It  entails  collaborative  research  in 
specified  areas  between  the  ARL  and  research  consortia  that  includes  government 
agencies,  private  sector  firms,  and  universities.  Five-year  Cooperative  Research  and 
Development  Agreements,  or  “CRADA’s,”  address  issues  of  intellectual  property  rights 
and  staff  rotations  in  ways  that  are  satisfactory  both  to  private  participants  and  to  ARL. 
The  approach  has  been  very  successful  in  attracting  industry  participation.  Some  activity 
is  under  way  in  industry  to  review  by-laws  and  charters  for  operations  to  create  such  a 
Federated  Laboratory  for  information  assurance. 

2.  Assessment 

Creating  a  mission-focused  government  activity  provides  a  reasonable  alternative 
to  the  creation  of  a  new  private-sector  organization.  As  described  here,  the  government 
has  often  used  this  approach  to  address  various  kinds  of  emerging  challenges.  Creation  of 
a  new  government  R&D  organization  focused  on  protection  of  the  critical  information 
infrastructures  could  increase  the  perception  of  a  serious  commitment  to  solving  the 
problems  associated  with  information  assurance.  Such  an  organization  could  be 
structured  to  provide  the  needed  breadth  of  vision  to  set  a  national  agenda  for  information 
assurance.  In  some  respects,  starting  a  new  government  office  comparable  to  the  Y2K 
office  or  continuing  the  Y2K  office  with  a  new  mission  might  be  easier  than  establishing 
a  comparable  private  sector  organization. 

Beyond  that,  however,  this  option  would  present  many  of  the  same  functional 
limitations  as  would  a  programmatic  initiative.  In  particular,  it  does  not  address  the 
cultural  gap  between  industry  and  government.  Many  see  the  bureaucratic  politics  and 
fiscal  oversight  requirements  that  surround  government  R&D  as  fundamentally 
incompatible  with  the  business  models  that  govern  the  IT  and  related  industries.  In 
addition,  concerns  over  access  to  private  information  by  competitors  or  others  using  the 
Freedom  of  Information  Act  and  by  intelligence  and  law  enforcement  could  stifle 
attempts  to  promote  information  sharing  between  the  government  and  private  sector 


10-9 


businesses.  While  a  working  group  in  the  Department  of  Justice  is  addressing  the  need  for 
new  legislation  to  alleviate  these  concerns,  such  a  solution  is  a  long  way  off. 

A  new  government  organization  would  likely  face  staffing  problems  because  of  its 
inability  to  offer  competitive  salaries,  the  general  shortage  of  trained  personnel  with 
information  assurance  expertise,  and  the  general  perception  (often  expressed  in  interviews 
and  workshops)  that  government  research  cannot  stay  on  the  cutting  edge  of  a  field  that 
moves  as  quickly  as  IT.  Moreover,  numerous  interviewees  (both  in  and  out  of 
government)  expressed  the  view  that  a  government  agency  would  be  relatively  costly. 

Consolidating  government  functions  in  a  mission-focused  activity,  as  in  the 
historical  examples  cited  above,  succeeds  only  when  both  the  President  and  Congress 
determine  to  support  the  new  activity.  Otherwise,  turf  battles  and  policy  debates  will 
negate  the  effectiveness  of  the  new  activity.  In  this  case,  complete  consolidation  may  be 
counterproductive.  It  could  undermine  existing  activities  at  DARPA  and  NSA  aimed  at 
protecting  the  government’s  own  systems.  A  new,  complementary  government  activity 
for  information  infrastructure  protection  R&D— along  the  lines  of  the  office  models 
discussed  above— could  nevertheless  help  to  integrate  efforts  within  the  government  if  it 
is  provided  adequate  funding  as  well  as  support  to  influence  work  going  on  elsewhere  in 
government.  Even  if  it  succeeds  in  integrating  government  efforts,  however,  the  activity’s 
government  orientation  is  likely  to  limit  its  success  in  promoting  private  sector 
collaboration. 

C.  PRIVATE  SECTOR  CONSORTIUM 

Where  the  two  previous  alternatives  are  largely  governmental  in  focus,  a  purely 
private  alternative  is  to  establish  a  private-sector  consortium  to  address  infrastructure 
protection  issues.  This  idea  has  received  strong  support  in  some  quarters.  The  consortium 
would  be  a  private,  not-for-profit  entity  formed  by  industry  and  led  by  a  private-sector 
board  of  directors.  While  the  government  might  provide  seed  money  to  assist  in  the 

formation  of  the  consortium,  it  would  thereafter  be  only  a  research  sponsor  or  customer, 
not  a  member. 

Members  would  come  from  both  the  users  of  information  infrastructure  protection 
products  and  services  and  the  suppliers  of  those  products  and  services.  The  consortium’s 
customers  would  include  its  members,  subscribers  to  its  services,  and  project  sponsors. 
Customers  and  sponsors  would  include  both  government  activities  and  private  firms.  For 
example,  the  government  could  contract  with  the  organization  to  assist  the  CIP-IWG  and 


10-10 


the  NSC’s  National  Coordinator  for  Critical  Infrastructure  Protection  and 
Counterterrorism  in  strategy  development  and  planning.  While  government  funding  could 
establish  linkages  between  key  agencies  and  the  consortium,  the  bulk  of  the 
organization’s  funding  would  most  likely  come  from  the  private  sector,  and  the 
government  would  therefore  have  little  leverage  over  the  overall  program.  Hence,  the 
term  “purely  private  sector”  is  sometimes  used  to  refer  to  this  alternative. 

1.  Examples 

There  are  several  examples  of  consortia  that  illustrate  this  approach.  These  have 
generally  been  formed  to  address  technology  challenges  facing  a  particular  industry 
sector. 

“High  Tech  Consortium .”  Cisco  Systems,  Motorola,  Solectron,  Dell,  and  Sun 
Microsystems  have  created  the  High  Tech  Consortium  (HTC)  to  keep  track  of  the  Y2K 
compliance  of  major  suppliers  and  service  providers.  Because  the  industry  consists  of  a 
complex  network  of  suppliers  and  distributors,  it  is  nearly  impossible  for  individual 
companies  to  assess  the  Y2K  readiness  of  their  entire  product  lines.  The  HTC  used 
standardized  tools  to  determine  and  prepare  for  possible  Y2K  disruptions.  Trained 
representatives  from  HTC  member  companies  assessed  the  suppliers,  and  shared 
information  on  the  Data  Sharing  Service,  a  secure,  Internet-based  database. 

SEMATECH.  SEMATECH  is  a  not-for-profit  technology  development 
consortium  of  nine  U.S.  semiconductor  manufacturers.  It  was  created  to  reinvigorate  the 
U.S.  semiconductor  industry,  and  co-funded  by  government  (DoD)  and  industry  with 
support  from  the  University  of  Texas.  Key  objectives  are  to  accelerate  development  of 
advanced  manufacturing  technology  focused  on  semiconductors,  enhance  relationships 
between  makers  and  suppliers,  coordinate  the  setting  of  standards,  develop  training 
programs  for  industry  and  create  university  centers  of  excellence  with  research  grants. 

Of  the  various  models  described  here,  the  consortium  is  the  most  focused  on 
private  sector  requirements.  Indeed,  the  proponents  of  forming  a  consortium  favor  it 
because  it  would,  by  its  nature,  entail  the  close  participation  of  industry.  The 
shortcoming  of  this  approach  is  that  it  may  be  very  difficult  to  organize  the  industry 
support  needed  to  implement  this  approach.  As  we  noted  in  chapter  2,  industry  is  looking 
for  government  to  take  the  lead  in  this  area. 


10-11 


s  this  section  illustrates,  there  are  a  number  of  feasible  structural  approaches  for 
pe  orming  the  functions  needed  to  strengthen  infoimation  infrastructure  protection  We 
ave  commented  briefly  on  their  main  features.  The  following  sections  present  a  more 
complete  assessment  of  their  strengths  and  weaknesses. 

2.  Assessment 

A  private  consortium  has  several  apparent  advantages.  Most  importantly,  it  would 
by  its  vmy  nature  require  the  active  participation  of  industiy.  Industry  leadership  can  be 
expected  to  shape  an  agenda  that  is  both  practical  and  responsive  to  the  changing 
nment.  However,  many  experts  (including  some  in  private  industry)  expressed  the 
concern  that  a  purely  private  organization  would  be  less  likely  to  focus  on  the  long-term 

national  research  problems  that  need  to  be  addressed. 

Industiy  consortia  have  been  formed  in  the  past  to  focus  on  pressing  common 
problems  bm  then  time  horizon  and  focus  has  tended  to  be  relatively  near-term  and 
understandably  limited  to  purely  commercial  concerns.  The  need  for  some  information 
infrastructure  protection  functions  will  arise  from  a  public  interest  or  national  security 
perspective,  and  may  not  appeal  to  a  purely  industrial  organization.  The  solutions  to 
many  of  the  more  important  R&D  problems  related  to  information  assurance  will  require 
input  from  a  wide  vanety  of  disciplines  (including,  for  example,  behavioral  science)  and 
o  y  after  a  very  long-term  investment  of  time  and  resources  and  after  one  or 
more  false  starts.  In  addition,  while  some  fruits  of  consortium  R&D  may  at  some  point 
find  their  way  mto  commercial  products  or  services,  other  consortium  efforts  (and  often 
^expensive  ones,  like  developing  test  beds)  would  bring  significant  but  only  indirect 
yo  a  urt  er,  an  emphasis  on  near-term  commercial  payoffs  could  lead  a  consortium 
to  restart  the  use  of  its  research  results  and  the  flow  of  information  about  them-^n 
approach  that  directly  contradicts  the  government’s  interest  in  wide  dissemination  and  use 

for  the  public  good.  Moreover,  such  action  might  expose  the  consortium  or  its  members 
to  government  or  private  anti-trust  action. 

For  these  reasons,  the  option  of  setting  up  a  purely  private  research  consortium 
received  only  limited  support.  The  consortium  model  also  poses  some  difficult 
anagement  c  a  lenges.  To  start  with,  such  a  private  consortium  could  not  necessarily 
count  on  broadly  based  industry  support.  Individual  companies  might  contribute  human 
inancia  resources  if  they  perceived  that  a  consortium  product  offered  direct 


10-12 


commercial  advantage,1  but  many  interviewees  (including  a  number  of  industry 
representatives)  questioned  whether  companies  would  support  a  consortium  research 
agenda  focused  primarily  on  longer-term  “national”  issues  that  did  not  promise 
immediately  marketable  results. 

Finally,  those  interviewed  generally  warned  that  there  is  no  reason  to  assume  that 
a  private  consortium  would  be  able  to  promote  cooperation  and  coordinate  information 
sharing  more  effectively  than  government.  Historically,  consortia  have  worked  only  when 
industries  face  pressing  challenges  that  firms  believe  they  cannot  address  effectively  by 
working  independently.  Our  review  finds  that  industry  does  not  yet  feel  sufficient 
pressure  to  give  rise  to  a  collective  effort  in  this  area.  In  fact,  the  cut-throat  nature  of 
competition  in  many  of  the  industries  involved  has  generated  a  level  of  intra-industry 
mistrust  that  would  be  extremely  difficult  to  overcome,  and  which — if  not  countered — 
would  doom  any  serious  effort  at  meaningful  information  sharing.  In  addition,  many  in 
the  government  would  be  concerned  about  sharing  information  with  a  purely  private 
consortium  over  which  government  had  relatively  little  influence. 

D.  THE  CASE  FOR  THE  I3P 

The  I3P  described  at  the  outset  of  this  chapter  presents  the  best  chance  of 
avoiding  the  potential  pitfalls  of  purely  industry  or  purely  government  solutions.  As 
indicated  in  the  discussion  above,  a  programmatic  initiative  suffers  because  it  is  a 
government  solution  and  because  it  does  not  provide  a  sufficiently  strong  focus  on 
information  infrastructure  protection  R&D  and  related  functions.  A  new  mission-focused 
government  activity  addresses  the  latter  problem  but  still  carries  the  burden  of  being  in 
the  government.  While  a  private  consortium  would  benefit  from  the  greater  flexibility  of 
being  in  the  private  sector,  it  might  hold  the  needs  of  its  members  above  the  public 
interest  in  information  infrastructure  protection.  Moreover,  it  might  be  reluctant  to  accept 
leadership  from  the  government.  What  is  needed  is  an  organization  that  bridges  the  gap 
between  these  governmental  and  private  sector  models.  The  I3P  is  designed  in  a  way  that 
accomplishes  this  and  resolves  the  concerns  raised  by  the  other  models. 

The  relative  merits  of  the  I3P  and  the  options  discussed  in  the  previous  sections 
are  summarized  Tables  10-1  and  1 0-2,  and  discussed  in  the  following  paragraphs. 


1  As  was  the  case  With  SEMATECH-funded  research  aimed  at  improving  the  capabilities  of  its  members’ 
suppliers.  There  was  no  direct  commercial  advantage  to  any  member. 


10-13 


JTable  10.1.  Functional  Assessment  of  the  I3P  vereus  Alternatives 


|  Functions 

Shaping  the 
National  Agenda 


I  Integrating 
Activities  across 
Sectors  and 
Functions 


Programmatic  Government  I 

- - -  n- - 1 - Organization  Private  Consortium 

- — blllty  *°  Meet  Cr°ss-cutting  National  Reouimm^ 

j.  I  — — ■ —  _ 


Establishes  a 
1  relatively  weak 
public  and  private 
sector  agenda¬ 
setting  framework 


A  programmatic 
initiative  provides  no 
new  resources  or 
structures  for 
integration 


Strengthens 
coordination  within 
the  government;  and 
establishes  a  clearer 
focus  for  public- 
private  coordination 


I  New  government 
organization  could 
strengthen 
integration 


Focuses  primarily  on 
private  sector 
needs,  and  provides 
a  weak  mechanism 
for  government 
involvement 


Consortium  would 
strengthen 
integration  within  the 
private  sector 


_ I _  | 

-Ability  to  Meet  National  Requirements  in  Functional  Am*.* 

+  I  ~  ““  T™“ - — - . - 


National  focus 
blurred  by 
differences  among 
government 
agencies,  and  the 
balance  would  be 
undermined  by  a 
lack  of  strong 
industry  participation 

Dispersion  of 
authority 
undermines 
responsiveness;  and  I 
federal  program 
planning  and 
budgeting  processes 
are  often  slow  to 
react  to  emerging 
needs 


Strengthens  focus 
within  government, 
but  a  government- 
led  effort  would  not 
elicit  the  industry 
participation  needed 
to  achieve  a 
balanced  National 
focus 


A  lead  organization 
|  could  consolidate 
decisionmaking,  but 
it  still  must  work 
within  the 
government’s 
budgeting  processes 


A  purely  private 
sector  dominated 
structure  would  not 
receive  the 
government 
[  engagement  needed 

to  achieve  a 
balanced  National 
focus 


As  a  private  body, 
could  be  responsive 
in  allocating 
resources  to  meet 
emerging  R&D 
needs  &  fill  gaps 


An  organization 
with  private 
governance  and 
government 
sponsorship 
provides  a  forum  for 
creating  a  balanced 
national  agenda 

++ 

!  Organization 
provides  balanced 
public-private 
integration 
capability,  but  would 
still  be  one  among 
many  actors 


An  organization 
with  private 
!  governance  and 
government 
sponsorship  could 
develop  a  balanced 
National  focus 


As  a  private  body, 

'  could  be  responsive 
in  allocating 
resources  to  meet 
emerging  R&D 
needs  &  fill  gaps 


(Cont’d) 


10-14 


Table  10-1.  Functional  Assessment  of  an  I3P  versus  Alternatives  (Cont’d) 


Functions 

Programmatic 
Initiative  Only 

Government 

Organization 

Private  Consortium 

I3P 

Ability  to  Meet  National  Requirements  in  Functional  Areas  (Confd) 

Information 

0 

+ 

+ 

++ 

Sharing 

Would  support 
existing  and 
nascent  information 
sharing  mechanisms 

Lead  agency  should 
strengthen 
information  sharing 
mechanism  within 
government 

Provides  no 
mechanism  for  info 
sharing  with  gov’t 

The  I3P  provides  a 

feasible  home  for 

establishing  a 

collaborative 

government-industry 

information 

exchange 

Structure  does  not 
address  industry’s 
inhibitions  to  sharing 
information  with  the 
government 

Structure  does  not 
address  industry's 
inhibitions  to  sharing 
information  with  the 
government 

A  well-designed 
“neutral  forum”  could 
overcome  industry's 
inhibitions  to  sharing 
data 

A  well-designed 
neutral  forum  could 
overcome  industry’s 
inhibitions  to  sharing 
data 

Competitiveness 
and  antitrust 
considerations 
continue  to  inhibit 
information  sharing 
among  industry 
participants 

Competitiveness 
and  antitrust 
considerations 
continue  to  inhibit 
information  sharing 
among  industry 
participants 

Product  And 
Services 

Evaluation 

0 

Hard  to  achieve 
inter-agency 
consensus  on 
needed  actions 

May  not  engage 
industry 

+ 

Could  strengthen 
federal  support  for 
improvements  in 
product  and  services 
evaluation  methods 

+ 

Might  not  assure 
neutrality  within 
private  sector  and 
access  to 

government  sources 

++ 

Could  provide  a 
neutral  forum  that 
attracts 

comprehensive 
participation  to 
harmonize  and 
upgrade  practices 

Education  & 

0 

+ 

+ 

i 

++ 

Training 

Distributed 
execution  across 
government  would 
not  strengthen 
integration  between 
R&D  and 
educational 
initiatives 

Could  strengthen 
federal  support  for 
educational 
initiatives,  but  would 
not  strengthen 
linkages  with 
industry  and 
academia 

A  consortium  could 
strengthen 
coordination  of 
industry-led 
initiatives,  but  it 
would  lack  access  to 
federal  information 
and  resources 

The  organization 
could  foster 
collaboration 
between  industry 
and  the  government 
to  support  education 
initiatives 

Key:  0  =  no  change  from  status  quo  in  supporting  national  needs  in  the  functional  area;  +  =  slight  support; 
++  =  moderate  support; +++  =  significant  support. 


Table  10-1  shows  how  well  each  model  would  satisfy  requirements  specific  to  the 
major  functions,  along  with  several  cross-functional  needs.  For  example,  in  the  R&D 
functional  area  the  table  provides  comments  on  three  criteria:  responsiveness,  national 
mission  focus,  and  integration.  The  crosscutting  criteria  assess  how  well  each  structure 
meets  requirements  for  shaping  a  national  agenda  and  integrates  that  agenda  across 


10-15 


sectors  and  functinne  tv»^ 

structure  motivates  snong  ‘^rivaT  h°W  "°h 

requirement  for  an  I3P.  P  and  private  participation — a  key 

example  clusfeZteU  eth  managemen* 

We  also  consider  staffing  issues  JlTT?,  ***  “  indUci"8  involvement, 

regulator  issues.  ’  P  °  alIenges>  cost-effectiveness,  and  legal  and 


Table  10-2.  Alternatives 


versus  Management  Criteria 


Ability  to  Engage 
Industry 


Ability  to  Build 
Needed  Staff 


i  Ease  and  Speed 
of  Start-up 


Increased  program 
funding  would 
strengthen  industry’s 
willingness  to 
engage 

+++ 

Limited  by  federal 
salaries,  but  j 

additional  personnel 
only  needed  for 
strengthening  the 
government 
coordination 

mechanism _ 

+++  ' 

No  new 
mechanisms, 
agencies,  facilities, 
staff  needed 


++ 

This  option  signals 
stronger  government 
commitment  &  will 
strengthen  industry’s 
willingness  to 
engage _ 

Limited  by  federal 
salaries;  staffing  a 
new  government 
organization  could 
prove  quite  difficult 


+++ 

By  definition  this  is 
an  industry  driven 
activity 


* 

Industry  will  staff  the 
consortium;  but 
incentives  are  weak 
for  providing  top 
personnel 


+++ 

The  industry-led 
governance 
structure  combined 
with  government 
funding  support  will 
_erigaqe  industry 
+++ 

Competitive  salaries 
may  be  offered,  and 
staffing  a  small 
private  activity  is 
feasible 


T  - 

Would  require  new  Would  reauire 
government  office  indus^Eve 
and  negotiations 


T 

Would  require  new 
organization;  but 
could  be  incubated 
in  existing 
organizations 
=  .moderately 


undertake  a  for-P">fit  P™<*  organization  to 

impatient  shareholders  looking  for  guiI"  „  *  WlthoUt  havin*  <°  answer  to 

would  be  better  suited  than  a  private  retums  on  their  investments.  Moreover,  it 
approaches  that  most  experts  agree  ;f“  research 

from  universities,  private  industry  and  nol.V  ,  '  USe  11  could  draw  talent 

aiso  couid 

An  I3P  would  enjoy  similar  advantages  over  thP  i 


10-16 


Participants  in  the  interviews  and  workshops  generally  agreed  that  the  fundamental  (and 
most  difficult)  challenge  in  setting  up  any  information-sharing  regime  is  to  gain  the  trust 
of  industry.  The  limited  success  of  current  efforts  backs  up  the  contention  of  many  of  the 
interviewees  that  while  a  programmatic  initiative  has  some  potential  to  set  up  information 
sharing  mechanisms,  the  disincentives  to  industry  participation  would  likely  remain 
strong. 

An  organization,  structured  as  a  neutral,  non-profit  entity,  could  alleviate  many  of 
those  concerns  by  acting  as  an  honest  broker,  providing  guidelines  concerning  what  kinds 
of  information  industries  should  collect,  then  gathering,  sanitizing,  and  repackaging  that 
proprietary  information  in  a  way  that  would  minimize  the  potential  risks  for  individual 
companies.  However,  the  success  of  this  approach  would  depend  largely  on  how  the  I3P 
is  staffed  and  what  provisions  it  makes  for  protecting  proprietary  and  sensitive 
information  that  comes  into  its  employees’  hands  in  the  course  of  its  work. 

An  13  P  would  be  granted  government  authority  to  handle  and  originate  classified 
material  necessary  for  accomplishment  of  its  mission. 

Most  interviewees  conjectured  that  an  organization  would  be  able  to  (1)  develop 
the  breadth  of  vision  to  help  set  a  national  information  assurance  agenda,  (2)  build  on 
existing  government  and  private  efforts  to  coordinate  across  sectors,  and  (3)  offer  the  best 
chance  among  all  the  organizational  options  of  enlisting  the  degree  of  industry  support 
and  participation  that  generally  is  seen  as  critical  to  the  success  of  any  national 
information  assurance  effort.  Moreover,  this  new  organization  could  be  incubated  in 
existing  entities.  This  would  help  expedite  the  process  and  keep  costs  under  control. 

As  a  private  non-profit  institution,  the  I3P  would  not  face  the  FOIA  concerns  that 
might  undermine  government  institutions.  If  suitably  structured  and  carefully  managed,  it 
could  also  avoid  the  potential  for  anti-trust  concerns  related  to  information  sharing  that  a 
purely  private  consortium  might  face.  While  the  shortage  of  qualified  talent  in  certain 
areas  related  to  information  assurance  would,  most  agreed,  pose  challenges  in  the  start-up 
phase,  establishing  a  small  permanent  staff  augmented  by  rotating  personnel  from 
industry  and  academia  could  give  the  I3P  the  necessary  professional  credibility  and 
intellectual  flexibility.  This  would  have  the  added  advantage  of  balancing  industry’s  real- 
world  experience  with  the  theoretical  and  big-picture  expertise  of  the  academic  and  policy 
communities. 


10-17 


E.  CONCLUSION 


At  the  outset  of  this  chapter,  we  noted  that  private  firms  are  the  predominant 
owners  of  the  information  infrastructure  and  are  therefore  ultimately  responsible  for 
correcting  security  deficiencies.  Industry  also  retains  the  rights  to  the  information  that  is 
essential  for  identifying  and  assessing  infrastructure  vulnerabilities.  At  the  same  time, 
government  responsibility  for  coordinating  across  sectors  to  address  what  amounts  to  a 
pressing  national  problem  cannot  be  ignored.  Motivating  strong  and  balanced  public  and 
private  participation  is  central  to  progress  in  this  area.  On  balance,  therefore,  we  concur 
with  the  opinion  expressed  by  a  significant  majority  of  participants  in  IDA  interviews  and 
workshops:  that  an  organization — very  similar  to  the  laboratory  proposed  by  the 
PCAST — needs  to  be  created. 


10-18 


Chapter  11 

CONCEPT  OF  OPERATIONS 


The  preceding  chapters  have  set  out  the  reasoning  for  establishing  the  I3P  for 
Information  Infrastructure  Protection  and  the  functions  it  should  perform.  In  this  chapter, 
we  outline  a  concept  of  operations  for  such  an  organization.  Our  focus  is  on  the  kind  of 
private-sector  organization  that  the  assessment  in  the  previous  chapter  concludes  is  most 
likely  to  succeed  in  engaging  industry  in  support  of  the  DP’s  mission.  The  concept  of 
operations  presented  here  provides  a  framework  and  starting  point  for  creating  more 
detailed  proposals.  We  describe  the  proposed  DP’s  (A)  mission;  (B)  tasks,  deliverables, 
and  performance  measures;  (C)  structure,  and  (D)  sponsorship  and  funding.  Section  E 
reviews  several  alternative  frameworks  for  establishing  the  I3P.  Related  legal  issues  are 
identified  in  Section  F. 

A.  MISSION 

The  purpose  of  the  I3P  remains  essentially  the  same  as  that  originally  proposed  for 
a  “laboratory”  by  the  PC  AST:  “. .  .to  conduct  research  and  develop  technology  that  would 
protect  our  critical  information  and  communications  systems  from  penetration  and 
damage  by  hostile  foreign  national  or  sub-national  groups,  organized  crime,  determined 
hackers,  and  from  natural  instabilities,  internal  design  weaknesses  or  human  failings  that 
can  cause  major  disruption  of  highly  complex,  nonlinear  networks.”  The  PCAST 
emphasized  the  need  to  understand  a  wide  range  of  potential  vulnerabilities.  They  must 
all  be  evaluated,  their  risks  assessed,  and  mitigation  strategies  identified.  Following  is  a 
draft  mission  statement: 

The  I3P  will  engage  with  industry,  academia,  and  government  to 
coordinate  a  national  R&D  program  and  related  functions  with  the 
objective  of  avoiding  disruptions  of  cyber  systems  that  could  result  in 
catastrophic  failures  of  the  critical  information  infrastructure.  In  particular, 
the  I3P  will  emphasize  R&D  to  understand  vulnerabilities  in  the  critical 
information  infrastructure  and  develop  counters  to  a  widespread,  well- 
organized  attack  that  could  severely  disrupt  or  damage  critical  systems  that 
are  essential  to  our  national  defense,  economic  prosperity,  and  quality  of 
life. 


11-1 


B.  TASKS,  DELIVERABLES,  AND  PERFORMANCE  MEASURES 

Establishing  and  then  managing — the  I3P  will  require  developing  plans 
specifying  concrete  deliverables  and  performance  measures  in  each  of  the  four  functional 
areas  identified  in  Part  UI  of  this  report.  This  will  serve  to  clarify  the  organization’s 
various  roles  and  show  how  its  work  relates  to  that  of  other  activities  and  initiatives.  As 
discussed  later  in  this  chapter,  steering  groups  that  permit  consultation  among  industry, 
academic,  and  government  experts  should  be  formed  to  formulate  these  plans! 
deliverables  and  performance  measures.  To  provide  a  starting  point,  Table  11-1  presents 
representative  examples  for  each  area. 

The  I3P’s  deliverables  would  take  many  forms— tangible  and  intangible,  broad  in 
scope  and  narrow,  objective  and  subjective  in  the  manner  in  which  they  may  be 
measured.  For  example,  the  first  deliverable  in  the  Overarching  Management  and 
Leadership  Function  is  to  develop  a  national  agenda.  One  measure  of  the  contribution  of 
this  activity  is  the  degree  of  acceptance  of  the  agenda  by  key  leaders  in  government  and 
industry.  The  I3P  must  be  able  to  shape  a  national  agenda  and  broadly  integrate  across 
sectors  and  functions.  It  must  motivate  strong  and  balanced  public  and  private 
participation.  Overall  performance  will  be  measured  by  how  well  these  essential 
crosscutting  functions  are  accomplished. 

Similar  deliverables  and  performance  measures  are  suggested  for  each  of  the  other 
functional  areas.  The  integration  of  these  deliverables  and  the  performance  of 
crosscutting  functions  are  central  to  accomplishing  the  I3P’s  mission. 

C.  STRUCTURE 

The  structure  of  the  13  P  is  dictated  by  the  need  to  engage  industry,  academia,  and 
government  to  work  together  in  identifying  and  addressing  infrastructure  vulnerabilities 
and  threats.  It  is  imperative  that  the  I3P  maintains  effective  working  relationships  across 
the  wide  spectrum  of  external  communities  and  activities  exemplified  in  Figure  1 1-1.  The 
DP’s  staffing,  governance  structure,  sponsoring  relationships,  and  external  linkages  are 
designed  to  foster  the  needed  relationships. 


11-2 


Table  11-1.  Representative  I3P  Tasks,  Deliverables,  and  Performance  Measures 


Tasks 

Deliverables 

Performance  Measures 

Overarching  Management/Leadership  Function 

•  Shape  the  National  Agenda 

•  Integrate  Activities  across 
sectors  and  functions 

•  Develop  an  agenda 

•  Effective  integration  of  public 
and  private  activities  led  by 
efforts  of  key  leaders 

•  Acceptance  of  agenda  by  key 
leaders  in  government  and 
industry  across  sectors  and 
functions 

•  Acceptability  of  the  I3P  as  a 
forum  for  integrating  national 
activities 

Function:  Research  and  Development 

•  Support  development  and 
integration  of  national  strategy 

-  Define  and  study  the 
national  information 
infrastructure  as  an  end-to- 
end  system  of  systems 

-  Track  public  and  private 
sector  R&D  (see 
information  sharing  below) 

-  Support  the  development 
of  a  national  R&D  agenda 
aimed  at  protecting  the 
critical  information 
infrastructure 

•  Coordinate  and  sponsor  R&D 
to  fill  gaps  and  shortfalls  in 
defined  areas  of  interest 

•  Definition  and  atlas  of  national 
critical  infrastructure  sectors 
and  interdependencies 

•  Integrated  knowledge  base 
identifying  R&D  gaps, 
shortages,  and  opportunities 

•  A  national  R&D  agenda 

•  A  unified  and  integrated 
framework  for  IA  analysis  and 
vulnerability  assessments 

•  Research  project  findings  and 
products 

•  Improvements  in  the 
understanding  of 
infrastructures  and 
interdependencies 

•  IT  community  recognition  that 
gaps  exist  and  are  important 
to  rectify 

•  Acceptance  of  agenda  by  key 
leaders  in  government  and 
industry  across  sectors  and 
functions 

•  Advances  in  understanding  of 
infrastructure  vulnerabilities 

•  Measurable  contributions  from 
sponsored  research;  e.g. 
advances  in  technologies  for 
protecting  infrastructure 
sectors 

Function:  Information  Sharing 

•  Provide  clearinghouse  to 
facilitate  two-way  sharing  of 
information 

•  Collect,  sanitize,  analyze, 
evaluate,  archive,  and 
disseminate  information 

•  Coordinate  across  sectors  and 
technologies  to  identify 
common  deficiencies  and 
highlight  areas  where  R&D  or 
other  corrective  action  is 
needed 

•  Identify  and  appropriately 
classify  aggregated 
information  that,  if  released, 
could  be  harmful  to  national 
security 

•  Integrated  date  base  on 
infrastructure  vulnerabilities 

•  Information  necessary  to 
execute  R&D  program 

•  Dissemination  process  that 
effectively  communicates 
vulnerability  assessments  and 
research  products 

•  Effectiveness  evidenced  by 
level  of  sharing  activity,  quality 
of  symposia 

•  Knowledge  and  resources 
available  for  specified  subject 
areas 

•  Useful  and  responsive  service 
as  judged  by  internal  and 
external  users,  fulfillment  of 
requests  within  targeted 
timeframes 

•  No  release  of  classified, 
proprietary  or  sensitive 
information. 

Continued 


11-3 


(Con*,, 

- - -  I  Deliverables  '  - - 


’  Coordinate 

products  and  services 

~  Harmonize  processes  and 
criteria  used  by  evaluators 

-  Facilitate  on-going  work 
and  the  establishment  of 
new  capabilities 

-  Fill  gaps  in  evaluation  and 
accreditation  areas  where 
only  the  I3P  is  serviceable 

Promote  and  oversee  R&d  to 
improve  test  methods  and 
develop  tools,  metrics,  and 
benchmarks  (see  R&D  above) 

Establish  linkages  for 
gathering  and  sharing  of 

information  on  best  practices 

(®®®  information  sharing 


Promote  the  education  and 
training  of  IA  practitioners 
educators,  and  researchers 

-  Monitor  the  ability  of 

existing  programs  to  meet 
workforce  requirements 

-  Address  shortfalls  through 
partnerships  with  outside 
organizations  or  I3P 
activities 

Link  the  !3P’s  activities  in 

other  areas  to  education 

and  training 

-  Speed  the  flow  of  the 
!3P’s  research  results 
to  IA  curriculum, 
training  &  standards 

-  Tailor  sponsored 
research  projects  to 
help  increase  the 
number  of  IA  teachers 
&  researchers 

-  Use  intramural  and 
extramural  hiring  and 
intern  policies  to  I 
attract  bright  people  to 

_ _ the  IA  field 


-I _  deliverables  - - - - 

*  u _ _  ~  '  — - - - 


Harmonized  best  practices 
ana  standards 

ap0STm0,S,iWa,d8 

Specialized  accreditation  & 
evaluation  where  needed 


Training  and  Education 
Curriculum  specifications 

srX’agpro9raTO,or 

Status  reports  on  national 
education  and  training 
activities  a 

Transfer  of  research  findings 
for  use  in  education  and 
training 


evaluated,  evaluators 
accredrted,  rigorous  criteria 
^."fbods  used,  purchased 
products  certified,  certified 
systems  passing  “red  team” 
tests 

Sin?3!!0"  of  ^"fl'cts  among 
standards  available  and  used 
as  evaluation  criteria 

£«*■*>*  of  improved  tools 
and  techniques,  improved 
testnig  effectiveness,  time, 
and  cost 

*  Effectiveness  evidenced  by 
membership,  level  of  activity 
increased  use  of  best 
practices 

Absence  of  unnecessary 
duplication  y 

Quantitative  and  detailed 
knowledge  of  workforce 
supply  pipeline  and  demand 

Measured  contributions  to 
reducing  shortages,  improvinq 
curricula,  expanding  9 
professional  certifications 

Speed  and  effectiveness  for 
ransferring  research  results  to 
educational  materials 

Numbers  and  types  of 
professors  and  students 
supported,  duration  of  support 
Numbers  and  progress  of 
recruits  from  outside  the  field 


11-4 


Executive  Office 
of  the  President 


Interagency 

Oversight 

Council 

Sponsoring 

Office 


1  Is 

Government 

Coordination 

Mechanisms 

> 

1  V 

X 

Examples: 

IWG,  NCO,  NGI,  HPC, 
NIAP.  NIPC 

Firms 

~  IT  product  &  services  providers 
—  Infrastructure  owners 


Universities, 
Laboratories 
Research  Institutes 


Government 

Agencies 


Figure  11-1.  I3P  Structure  and  External  Relationships 


1.  Staffing  and  Governance 

Industry  officials  told  us  that  strong  private  sector  leadership  and  direction  from  key 
industry  CEOs  is  most  conducive  to  securing  effective  private  involvement.  A 
prerequisite  for  this  will  be  to  recruit  senior  executives  to  serve  on  the  DP's  board  of 
directors.  Industry  officials  have  indicated  that  senior  executives  would  be  willing  to 
serve  on  the  board  if  it  interacts  with  the  most  senior  levels  of  government  and  has 
significant  influence  in  shaping  the  DP’s  program.  The  directors  will  be  selected  from 
key  CEOs  representing  a  cross-section  of  information  infrastructure  provider  and  user 
industries,  along  with  academic  and  national  security  policy  experts.  The  board  will 
interact  with  (and  perhaps  have  overlapping  membership  with)  senior  advisory  groups 
whose  mandates  encompass  infrastructure  protection.  These  include  the  President’s 
Committee  of  Advisors  on  Science  and  Technology  (PCAST),  the  National  Infrastructure 
Assurance  Committee  (NIAC),  and  the  National  Security  Telecommunications  Advisory 


11-5 


-  r:‘“ 

national  stature.  The  CEO  must  be  able  to  int  t  **  reSpected  Person  with 
be  board  of  directots.  ne  CE0  “  a  ^  with  the  other  members  of 

individuals  to  the  I3P’s  staff  He  or  she  miTTl  l  ^  '°  energetic-  <»Pable 

planning, 

the  staff  will  remain  to  be  defined  when  rela,lonshiPs-  He  exact  size  of 

professional  sbdf  is  expect*  ,„  number  hell  *T**  ^ 

formulation,  progmm  planning  mtd  prog™ 1ST 1,“ S 


Federa,  Advise  CwM,i„™Srn,S  **  ’ ' **• 

FACA  defines  “advisoiy  committee”  as: 

^S5?issast  xscsasisj  ?ree' *  ^ 

K)  established  or  utilized  by  one  or  more  agencies, 

for  the  President  or  one  or  more 

£££*  “ con,|,0SKl  **  «> mi-«^  XSiSSTSSSffl 

An  I3P  board  that  is  subject  to  FACA  would  face  the  foil  ■  . 

1  •  Its  establishment  would  have  to  he  H  t  •  0WU18  requirements: 

2-  «s  membership  would  have  to  be  »f  T7f  *°  ^  ^  PUblic  fattrest  ” 

md  the  functions  to  be  perforated.”  *  ““  “  “rms  of  «»  Points  of  view  represented 

4-' 

ofcrwise  and  discussion  or  disctaje  rf  ehssM?rtof0”  *“  Publio  >**«*  requires 

°f  3  kW  proK<*‘1  Ho",  public  d,iS7^en'm'’™£ry  * 


11-6 


organize  and  direct  teams  of  government,  industry,  and  university  experts  assembled  to 
perform  specific  tasks. 

The  professional  staff  would  be  augmented  in  two  ways.  First,  information 
assurance  experts  on  temporary  assignment  to  the  I3P  will  support  specific  projects. 
Such  assignments  are  intended  help  keep  the  I3P  integrated  with  industry,  academic,  and 
government  R&D  programs  and  ensure  that  its  project  teams  maintain  technological 
currency.  Such  experts  may  also  serve  on  the  professional  staff  of  the  I3P  for  limited 
periods. 

Second,  a  steering  group  will  be  established  to  support  planning  and  program 
definition  for  each  of  the  DP’s  four  functions.  These  steering  groups  would  be 
responsible  for  integrating  private  and  federal  efforts  in  each  functional  area.  For 
example,  the  R&D  working  group  should  focus  on  setting  the  R&D  agenda  for  the  DP.  It 
should  include  Chief  Technology  Officers  (CTOs)  from  industry,  along  with  academic 
experts  and  government  and  executives. 

These  steering  groups  will  advise  the  DP’s  CEO  on  overall  strategy  and  plans  for 
the  I3P.  They  will  perform  their  roles  under  the  policy  guidance  of  the  board  of  directors 
and  the  direction  of  the  CEO.  The  steering  groups  will  advise  in  structuring  specific 
tasks,  and  their  members  should  have  the  authority  to  commit  personnel  from  their 
organizations  to  participate  on  project  teams.  Steering  group  members  will  perform  their 
duties  on  a  part  time  basis,  relying  primarily  on  electronic  communications  with 
occasional  face-to-face  meetings. 

An  administrative  staff  that  will  operate  the  I3P  and  manage  the  business  and 
legal  aspects  of  the  DP’s  extensive  external  contracts  will  support  the  technical  staff.  The 
size  of  staff  required  for  these  functions  will  depend  on  the  administrative  approach 
adopted  by  the  I3P.  Needed  support  may  be  hired  by  the  I3P,  obtained  through  out-source 
contracts,  or  provided  through  matrix-support  from  a  parent  organization. 

2.  External  Relationships 

Several  kinds  of  external  relationships  must  be  developed  by  the  I3P  in  order  to 
carry  out  its  mission.  These  are  shown  in  Figure  1 1-1  and  described  here. 

•  Executive  Office  of  the  President.  The  I3P  must  establish  close  working 
relationships  with  the  Executive  Office  of  the  President,  including  the 
National  Security  Council,  the  Office  of  Science  and  Technology  Policy,  and 
the  Office  of  Management  and  Budget.  Each  of  these  offices  has 

11-7 


responsibilities  related  to  the  mission  of  the  I3P  Th  xr  • 

for  Critical  Infrastructure  Protection  and  r  i  ^  ^atl0nal  Coordinator 
Security  Council  has  » in “ 

r reuted 

Infrastructure  Assurance  Council  (NIAC)  ^  1  6  newly  created  National 
Industry  Coordination  Mechanic  a  „  ,  ' 

and  collaborative  activities  are  concerned*  ^UStIy  ,trade  ass°ciations 
protection.  The  members  of  these  oreamVat^  lnformation  infrastructure 
cross-section  of  the  respective 

Information  Technology  Association  nf  a'  examples  include  the 

Research  Institute  (EPRI)  and  the  Bank’  TT  tbe  Electric  Power 

(BITS).  311(1  1116  Banklng  Industry  Technology  Secretariat 

•  Government  Coordination  Mechanism <■  Th«  n  , 

Office  (CIAO),  the  Interagency  Working <£? 1Calh^astruc^  Assurance 
Protection  (IWG-CIP),  the  National  fWmr  °P  °D  ^”^cal  Infrastructure 
of  Science  and  Technology  Policy  ancT  d!™  n  ^  °f  ^  0ffice 

Assurance  Program  (DIAP)  are  all  workin  a  Defense-Wide  Information 
and  development  activities  within  the  fedefalgov^e^d  C00rdinate  research 

defineroles  in  each  ofits  fo^^rtionafa^^th^t  ^Ct^v^es'  ^  DP  must 
the  existing  related  activities  The  kev  f  *  complement  and  integrate 
information  products  anT  enlces  If" T*  ^  **  d^P£  of 
operators  and  the  compaJeTS  rtyZZ  owners  and 

business.  The  I3P  also  will  need  ,he  ««  conduct 

activities  in  order  to  obtain  a  coinn.pl,  •  of  government  agencies  and 
capabilities  and  intentions,  identify  ins  taT  “nderfandinS  o{  threat 

aa-* — sa  mKSK 

these  co^T"  Jaart  ^  &S  ^  ^  °f 
the  governance  structure  of  the  I3P  fl  a  ?S  Wlt  mdustry  ml1  be  built  through 
Relationships  with  the  Executive  Office  of  theT  d^  eXeCUti°n  ^  ^  fimctions- 
sponsoring  relationship  between  the  government  and'th  ^  ^  4111011811 

the  following  section.)  Coordination  with  ex  f  *  <'ThlS  WlU  be  discussed  in 
bodies,  and  with  other  research  institutes  and  ^  ^  aCad6miC  coordination 

the  day-to-day  execution  of  the  I3P’S  Dro  UmV61‘Slties  Can  be  accomplished  through 

I3P  s  program.  It  is  anticipated  that  the  I3P  JU 


11-8 


collaborate  in  funding  and  executing  R&D  projects  with  such  organizations,  and  will  also 
establish  information-sharing  activities  with  them. 

D.  GOVERNMENT  FUNDING  AND  SPONSORSHIP 

The  I3P  will  target  its  research  and  development  agenda  toward  areas  where  there 
currently  are  gaps.  These  gaps  include  important  long-term  research  questions  and  broad 
systems-of-systems  areas  where  industry  executives  believe  they  cannot  quickly  and 
profitably  exploit  the  results.  There  is  widespread  agreement  that  research  such  as  this 
requires  the  support  of  the  government. 

Although  this  study  has  not  focused  on  specific  funding  needs,  the  PCAST's 
proposed  target  of  $100  million  per  year  in  government  funding  seems  appropriate  for 
establishing  a  critical  mass  of  effort.  This  core  level  of  support  should  be  provided  as 
general  institutional  funding  to  be  allocated  by  the  I3P  staff  under  the  direction  of  its 
private-sector  board  of  directors.  This  level-of-effort  funding  approach  would  provide  the 
I3P  with  the  sustained  support  needed  to  plan  and  execute  an  effective  program,  along 
with  the  flexibility  needed  to  allocate  funding  to  emerging  needs  and  opportunities. 

The  DP’s  charter  should  also  permit  other  government  agencies  or  private  firms 
to  support  specific  tasks.  Industry  executives  indicated  that  they  would  support  projects 
on  a  cost-sharing  basis  if  attractive  projects  with  specific  deliverables  are  defined  and  the 
firms’  participation  makes  sense  from  a  business  standpoint.  The  conditions  for  accepting 
funding  should  be  stipulated  in  the  DP’s  charter,  and  the  board  of  directors  should  review 
the  DP’s  practices. 

The  sponsoring  relationship  between  the  government  and  the  I3P  would  create 
strong  working  relationships.  The  I3P  would  receive  its  government  funding  and  liaison 
support  from  a  sponsoring  organization  in  the  Executive  Branch.  There  has  been  much 
discussion  of  where  this  office  should  be  located.  The  approach  recommended  by  most 
functional  experts  is  to  locate  the  office  in  the  Executive  Office  of  the  President.  This 
approach  emphasizes  the  inter-agency  character  of  the  I3P,  and  reduces  the  potential  for 
turf  battles. 

The  President’s  Council  on  Year  2000  Conversion  provides  a  recent  example  of  a 
new  interagency  initiative  funded  through  the  Executive  Office  of  the  President.  It  was 
established  to  organize  and  lead  the  government’s  efforts  to  bring  the  Nation’s 
information  systems  into  compliance  with  Y2K  requirements.  This  activity  had  a  very 

11-9 


small  central  staff  and  a  separate  budget,  which  it  was  able  to  allocate  among  government 
g  notes  responsible  for  executing  various  Y2K-related  functions.  A  similar  funding  and 

Pt  mln  and  T  *»  information  infrastructure 

~r:;r,a  “ capaHe  °f  - — -  «— 

The  sponsoring  office  might  alternatively  be  placed  in  an  existhur  R&n 
XT'  ^  adVantege  °f  ^  ™  *  «-  -  sponsoring  office  wol 

with  the  private  sector  appropITto  tlT^^  CaPab"1,y  "*  ^  eXPerie”Ce  “  WOTkin6 

The  second  important  linkage  with  the  government  is  through  the  creation  of  an 

bro?^  °VerSlght  and  coordination  council  responsible  to  review  the  DP’s  budget  and 
broad  programmatic  priorities.  The  council  also  would  be  responsible  for  p^l 

ffective  working  relationships  between  the  DP  and  relevant  government  agencies  The 

Science  Zd  T  TnT  ""  pT”^  ^  **  Nati°nal  Security  Council,  the  Office  of 

D~«  me  n  r  T’ the  °“"  °f  ManagemeM  “d  »+*■  *•  Commerce 
partment, the  Defense  Department,  the  National  Science  Foundation  and  other 

gences  with  responstbilities  related  to  infotmation  infrastructure  protection.  ’ 

soon  V*?  meChaniSm  for  Sovemment  linkage  is  through  the  government’s 
example  t  ”  ^  138113  10  performed  bY  ,be  BP-  The  I3P  could  be  tasked  for 

CotlatL“  C,Q  “rdna,in8  0ffi°e  &r  C°mPUting’ 

government-wide^  R^TheT/p  TT-T  “  ** 

on  Comrmtina  if  /  Wlth  **  NC°-CIC’s  Subcommittee 

De  n  M°ma“°a>  ^  Communications  R&D,  which  coordinates  with  the 

Departments  and  Agencies  of  the  Federal  government.  Similarly,  the  I3P  may  perfotm 

tasks  m  support  of  the  National  Coordinator  for  Information  Infrastructure  Protection  and 
Counterterrorism,  the  President’s  Advisor  for  Science  and  Technology  Po  y  ““ 
government  agencies.  By  y’  or  ror 

E.  ALTERNATIVE  STRUCTURES 

A  private-sector  I3P  could  be  established  in  a  number  of  ways.  Three  possible 
models  were  most  frequently  suggested  in  our  discussions.  Each  of  these  models 

11-10 


includes  a  government  sponsoring  activity  and  a  contract  with  a  private-sector 
organization.  The  three  models  are  (1)  a  private  corporation  such  as  the  EN-Q-TEL 
Corporation  recently  established  by  and  for  the  Central  Intelligence  Agency,  (2)  a 
Federally  Funded  Research  and  Development  Center  (FFRDC)  such  as  those  that  have 
served  DoD  since  WWII,  and  (3)  a  public  corporation  such  as  the  the  Communications 
Satellite  Corporation  (COMSAT).2  Each  model  is  discussed  in  turn. 

1.  A  Private  Corporation:  IN-Q-TEL 

The  most  direct  method  for  establishing  a  private-sector  I3P  is  for  a  government 
sponsor  to  engage  in  a  long-term  contract  with  a  privately-formed  corporation  that  is 
dedicated  to  the  infrastructure  protection  mission.  Many  firms  possess  the  needed 
technical  expertise,  and  are  actively  engaged  in  this  area.  However,  these  firms  are  profit¬ 
making  enterprises,  and  competitive  considerations  within  their  client  bases,  and  across 
firms,  would  prevent  them  from  performing  the  DP’s  functions.  One  model  that  does 
have  promise  is  to  create  an  entirely  new  entity  designed  specifically  to  perform  these 
functions.  The  CIA’s  recent  initiative  to  establish  a  new  information  technology  research 
activity,  originally  called  IN-Q-IT,  but  now  known  as  IN-Q-TEL,  provides  an  example  of 
how  this  might  be  done. 

IN-Q-TEL  is  a  collaborative  venture  among  the  government,  industry  and 
academia.  It  has  a  twofold  mission: 

•  To  accept  strategic  problems  and  develop  a  portfolio  of  innovative  and 
unconventional  information  technology  solutions,  ranging  from  exploration  to 
demonstration 

•  To  fuel  private  research,  development  and  application  of  information 
technologies  of  strategic  national  interest  for  the  benefit  of  all  partners 

In  undertaking  these  missions,  IN-Q-TEL  will  marshal  the  full  range  of  private 
sector  IT  resources  on  CIA’s  behalf  and  with  CIA’s  initial  funding.  It  will  partner  and 


2  A  fourth  model  raised  by  a  few  experts  would  establish  a  structure  akin  to  those  employed  by  the 
Department  of  Energy’s  National  Laboratories.  The  National  Laboratories  possess  multi-billion  dollar 
government-owed  research  facilities,  which  are  managed  and  operated  by  contractors.  Because  the  I3P 
will  be  a  very  small  organization,  without  major  facilities,  this  structure  offers  no  advantages. 
Moreover,  such  a  structure  would  inhibit  the  work  of  the  I3P  by  making  the  government  an  interested 
party  to  agreements  between  the  I3P  and  private  firms  or  universities,  which  would  block  the  creation 
of  needed  relationships.  Thus,  although  the  National  Laboratories  contain  vital  research  assets,  their 
structure  does  not  provide  a  good  model  for  establishing  the  I3P. 


11-11 


collaborate  with  traditional  contractors  as  well  as  small  “garage  start-up”  ventures  and 
bdJe  C°mPaBieS’  °"'  'ime  "  ^  eXPeCKd  ‘°  *  mixed  °f  ejects  to 

•  Basic  and  applied  research,  engineering  and  development  of  IT-related 
products  and  capabilities  to  the  demonstration  point; 

of  commerciaI  products  that  could  be  used  or  modified  to  meet 

*  one^'lT  *7 T'  pr0df  ^monstrattons,  white  papers,  proofs  of  concept, 

operational  prototypes,  and  technology  forecasts.  ■ 

A  major  strength  of  1N-Q-TEL  is  that  i,  employs  an  innovative  contntetual 

c  amsm  at  eliminates  many  restrictive  legal  and  regulatory  requirements  that  would 

undemune  the  intended  mission.  3  The  IN-Q-TEL  Corporation  is  being  set  up  as  a  not- 

for-profit  (501(c))  corporation  independent  of  the  CIA.  Its  association  with  the  CIA  is 

open,  and  all  work  will  be  unclassified.  CIA  is  to  furnish  venture  capital  to  develop  ideas, 

products,  and  solutions  in  a  range  of  infomtation  technology  areas.  IN-Q-TEL  is 

ioned  as  a  technology  broker  and  knowledge  management  company.  The 

Corporahon  will  form  about  10  partnerships  with  industry  and  academia  to  work  on 
specific  problems. 

The  advantage  to  CIA  is  the  ability  to  reach  companies  and  universities  previously 
out  of  reach  because  of  private  corporation  concerns  about  government  controls  and 
secunty  restnctrons.  Moreover,  foreign  nationals  may  be  used,  and  there  should  be  greater 
spee  an  agility  in  working  problem  solution  paths  than  is  ordinarily  the  case.  In 
summary,  IN-Q-TEL  will  operate  in  an  unclassified  environment,  use  simplified 
contracts  be  able  to  employ  non-U.S.  citizens,  have  access  to  the  best  and  brightest  in  the 
Held,  and  be  free  to  market  and  share  R&D  results. 

IN-Q-TEL  has  established  an  effective  contractual  regime  to  deal  with  many  of 
e  egal  and  regulatoiy  barriers  to  public-private  collaboration,  including  intellectual 
property  rights,  information  protection,  and  profit  sharing*.  Its  proponents  believe  that 


SiKKFtS  l°fT  §,2”1)  ,o  rr  ““  •  “1,ed 

procurement  contracts,  grants  and  cooperative  agreements  ThfoTuJdt  applicaWe  *° 

create  IN — Q _ TEL.  ^  ts*  Aiie  CIA  used  a  similar  type  of  contract  to 

Section  F  explores  the  primaiy  legal  concerns  in  greater  depth. 


11-12 


IN-Q-TEL’s  contract  will  allow  it  to  operate  much  as  any  other  fast-moving  high- 
technology  company. 

2.  DoD  Federally  Funded  Research  and  Development  Centers  (FFRDCs) 

FFRDCs  provide  another  feasible  framework  for  performing  the  I3P’s  functions.5 
They  are  established  by  contract  between  a  sponsoring  agency  and  the  FFRDC  operator, 
usually  a  not-for-profit  corporation  or  a  university.  The  DoD  Management  Plan  for 
FFRDCs  specifies  a  core  activity  that  represents  the  principal  role  for  each  FFRDC, 
describes  its  strategic  relationship  with  its  primary  sponsor,  and  sets  out  its  missions, 
general  scope  of  effort  and  core  competencies.  This  arrangement  has  succeeded  in 
achieving  the  needed  balance  between  independence  from  the  government,  and  the  ability 
to  work  closely  with  both  the  government  and  private  industry. 

FFRDCs  are  already  addressing  infrastructure  protection  issues.  Nearly  every 
FFRDC  has  contractually  defined  core  competency  areas  that  touch  on  national 
information  infrastructure  protection.  Two  whose  current  core  areas  are  most  directly 
relevant  to  the  mission  of  the  I3P  are  the  Software  Engineering  Institute,  operated  by 
Carnegie  Mellon  University,  and  the  DoD  C3I  FFRDC,  operated  by  the  not-for-profit 
MITRE  Corporation. 


5  FFRDCs  are  defined  by  the  Federal  Acquisition  Regulation  (FAR)  as  follows: 

35.017  Federally  Funded  Research  and  Development  Centers. 

(a)  Policy.  (1)  This  section  sets  forth  Federal  policy  regarding  the  establishment,  use,  review,  and  termination  of 
Federally  Funded  Research  and  Development  Centers  (FFRDCs)  and  related  sponsoring  agreements. 

(2)  An  FFRDC  meets  some  special  long-term  research  or  development  need  which  cannot  be  met  as  effectively 
by  existing  in-house  or  contractor  resources.  FFRDCs  enable  agencies  to  use  private  sector  resources  to 
accomplish  tasks  that  are  integral  to  the  mission  and  operation  of  the  sponsoring  agency.  An  FFRDC,  in  order  to 
discharge  its  responsibilities  to  the  sponsoring  agency,  has  access,  beyond  that  which  is  common  to  the  normal 
contractual  relationship,  to  Government  and  supplier  data,  including  sensitive  and  proprietary  data,  and  to 
employees  and  facilities.  The  FFRDC  is  required  to  conduct  its  business  in  a  manner  befitting  its  special 
relationship  with  the  Government,  to  operate  in  the  public  interest  with  objectivity  and  independence,  to  be  free 
from  organizational  conflicts  of  interest,  and  to  have  full  disclosure  of  its  affairs  to  the  sponsoring  agency.  It  is  not 
the  Government* s  intent  that  an  FFRDC  use  its  privileged  information  or  access  to  facilities  to  compete  with  the 
private  sector.  However,  an  FFRDC  may  perform  work  for  other  than  the  sponsoring  agency  under  the  Economy 
Act,  or  other  applicable  legislation,  when  the  work  is  not  otherwise  available  from  the  private  sector. 

(3)  FFRDCs  are  operated,  managed,  and/or  administered  by  either  a  university  or  consortium  of  universities, 
other  not-for-profit  or  nonprofit  organization,  or  an  industrial  firm,  as  an  autonomous  organization  or  as  an 
identifiable  separate  operating  unit  of  a  parent  organization. 

(4)  Long-term  relationships  between  the  Government  and  FFRDCs  are  encouraged  in  order  to  provide  the 
continuity  that  will  attract  high-quality  personnel  to  the  FFRDC.  This  relationship  should  be  of  a  type  to 
encourage  the  FFRDC  to  maintain  currency  in  its  field(s)  of  expertise,  maintain  its  objectivity  and  independence, 
preserve  its  familiarity  with  the  needs  of  its  sponsor(s),  and  provide  a  quick  response  capability. 


11-13 


An  illustration  of  how  existing  FFRDCs  might  collaborate  to  establish  an  entity 
with  many  of  the  elements  of  the  proposed  I3P  is  provided  by  the  joint  SEI,  MITRE,  and 
RAND  Corporation  proposal  to  establish  a  National  Infrastructure  Assurance  Institute 
(NIAI).  The  proposed  NIAI  would  be  chartered  as  a  not-for-profit  corporation,  under  the 
direction  of  a  board  consisting  of  industiy  CEOs,  the  heads  of  consortium  members,  and 
prominent  policy  leaders  from  outside  the  government.  Staffed  by  a  permanent  FFRDC 
staff,  NIAI’s  technical  excellence  would  also  be  enhanced  by  industry  affiliates  and 
government  temporaiy  staff,  thereby  affording  access  to  industry,  government,  and 
university  expertise. 

3.  A  Public  Corporation 

The  third  mechanism  is  to  create  a  federally  chartered  public  corporation.  This 
approach  has  been  used  on  numerous  occasions  by  the  federal  government  to  create 
organizations  that  focus  on  specific  functions.  Examples  include  financial  organizations 
such  as  Fannie  Mae  and  Freddie  Mac.  In  the  technology  area,  the  Communications 
Satellite  Corporation  (COMSAT)  was  established  as  a  public  corporation  to  operate 
communications  satellites  and  to  serve  as  the  United  States  representative  to  the 
International  Telecommunications  Satellite  Consortium  (INTELSAT). 

An  important  feature  of  this  approach  is  that  it  provides  a  legislated  relationship 
between  the  I3P  and  the  federal  government.  Establishing  a  public  corporation  is 
responsive  to  the  recommendation  of  many  experts  that  the  DP’s  board  of  directors  be 
required  to  report  to  the  President  of  the  United  States,  in  a  manner  similar  to  that  of  the 
National  Security  Telecommunications  Advisory  Committee.  This  would  help  to 
underscore  that  the  I3P  has  the  strong  support  and  involvement  of  the  highest  levels  of  the 
U.S.  Government.  It  may  also  be  legally  permissible  for  government  employees  to  serve 
as  members  of  the  I3P  s  board,  should  that  kind  of  close  link  to  a  particular  government 
agency  be  deemed  desirable. 

To  create  such  a  relationship  requires  congressional  action.  Under  this  approach, 
the  I3P  would  be  a  not-for-profit  corporation,  chartered  by  an  act  of  Congress  that  also 
authorizes  the  President  of  the  United  States  to  appoint  its  board  members.  For  example, 
the  Communications  Satellite  Act  of  1962,6  which  created  the  Communications  Satellite 
Corporation,  provided  that: 


6 


Pub.  L.  87-624. 


The  corporation  shall  have  a  board  of  directors  consisting  of  fifteen 
individuals  who  are  citizens  of  the  United  States,  of  whom  one  shall  be 
elected  annually  by  the  board  to  serve  as  chairman.  Three  members  of  the 
board  shall  be  appointed  by  the  President  of  the  United  States,  by  and  with 
the  advice  and  consent  of  the  Senate,  effective  the  date  on  which  the  other 
members  are  elected,  and  for  terms  of  three  years  or  until  their  successors 
have  been  appointed  and  qualified,  and  any  member  so  appointed  to  fill  a 
vacancy  shall  be  appointed  only  for  the  unexpired  term  of  the  director 
whom  he  succeeds.  The  remaining  twelve  members  of  the  board  shall  be 
elected  annually  by  the  stockholders.  Six  of  such  members  shall  be  elected 
by  those  stockholders  who  are  not  communications  common  carriers,  and 
the  remaining  six  such  members  shall  be  elected  by  the  stockholders  who 
are  communications  common  carriers . . .  ? 

The  charter  of  such  a  public  corporation  also  could  address  the  legal  and 
regulatory  aspects  of  the  I3P’s  operation.  This  would  have  the  advantage  of  explicitly 
stating  those  points  where  the  I3P  will  operate  differently  than  the  notional  entity 
receiving  federal  government  funding.  The  possibility  of  specifically  addressing  and 
eliminating  many  of  the  factors  that  potentially  inhibit  industry  cooperation  with  the  I3P 
argues  in  favor  of  the  public  corporation  approach. 

F.  LEGAL  AND  REGULATORY  ISSUES 

A  number  of  legal  issues  will  have  to  be  addressed  and  resolved  as  the  I3P’s 
charter  is  created.  These  issues  fall  broadly  into  two  categories: 

•  Legal  issues  arising  from  the  four  particular  functions  that  the  13 P  is  expected 
to  perform. 

•  Legal  issues  associated  with  the  proposed  structure  of  the  13  P  and  its  planned 
relationship  to  the  U.S.  government. 

Most  of  the  functional  issues  were  addressed  in  detail  by  the  President’s 
Commission  on  Critical  Infrastructure  Protection  in  its  Legal  Foundations  series  of 
reports.  This  discussion  relies  substantially  on  those  reports.  In  many  cases  resolution  of 
these  issues  may  require  legislation.  Nonetheless,  if  congressional  support  is  forthcoming, 
none  should  be  “show-stoppers”  for  the  establishment  and  operation  of  the  I3P  as 
proposed  in  this  paper. 


7  This  provision  is  codified  at  47  USC  §  733(a). 


11-15 


Issues  of  executive  agent  law  and  civil  service  organization  and  salaries  (Titles  5 
and  !0  °fU.S.  Code)  that  might  have  to  be  faced  by  a  government  agency  performing  the 
s  functions  do  not  anse  under  the  proposed  structure  simply  because  it  is  a  private 


1.  Acquisition  Regulations 

Most  government  contracts  must-by  law  or  regulation-include  a  variety  of 
provisions  that  many  private  sector  firms  that  do  not  routinely  perform  government- 
funded  R&D  find  onerous  and  intrusive.  These  typically  include  audit  requirements 
restrictions  on  allowable  costs,  patent  and  data  rights  allocations  that  are  generally 
regarded  as  inappropriate  by  commercial  firms,  restrictions  on  the  choice  of 
subcontractors,  inspection  requirements,  and  other  provisions  not  generally  found  in 
agreements  between  non-governmental  entities.  Often,  these  regulations  “flow  down”  to 
t  e  subcontractors  of  the  direct  government  contractor,  thus  inhibiting  the  establishment 
of  relationships  between  the  ISP  and  commercially  oriented  private  firms. 

Some  relief  from  such  acquisition  requirements  can  be  obtained.  The  Department 
of  Defense,  as  discussed  below,  has  the  ability  to  contract  for  R&D  activities  using  so- 
called  “Other  Transactions”  under  10  U.S.C.  §  2371.  This  authority  has  limitations, 
owever.  This  suggests  there  may  be  a  need  for  specific  legislative  action  in  the  case  of 
the  13  P  to  make  the  use  of  such  agreements  workable. 

2.  Intellectual  Property 

Ownership  and  use  of  intellectual  property  resulting  from  the  I3P  R&D 
activities  both  those  it  funds  externally  and  those  it  conducts  in-hous^-must  be 
carefully  addressed.  If  the  13P  receives  government  funds,  then  standard  government 
contrachng  rules  governing  ownership  of  patents  and  other  intellectual  property  will 
apply  unless  some  alternative  contractual  framework  is  provided.  Those  standard  rules 
will  generally  permit  the  I3P  to  own  what  it  develops,  but  that  ownership  will  likely  be 
subject  to  a  government  license  of  some  kind.  Government  licenses  have  proven  to  be  a 
eterrent  to  the  participation  of  many  films  in  government-funded  R&D.  This  has  been 

especially  hue  of  particularly  innovative  firms  like  3M  or  Hewlett  Packard  that  are  not 
traditionally  government  contractors. 

There  are  some  statutoiy  provisions  for  DoD  R&D  contracting  that  may  allow  for 
a  more  innovative  approach.  For  example,  10  U.S.C.  §  2371  permits  “other  transactions” 


11-16 


that  are  not  subject  to  the  “normal”  patent  rights  allocation  required  by  the  Bayh-Dole  Act 
and  that  permit  DoD  and  its  contractor  to  reach  an  appropriate  agreement  on  other  “rights 
in  technical  data”  as  well.  The  implementation  of  the  I3P’s  government  funding  must 
address  these  concerns  and  seek  mechanisms  such  as  that  provided  by  10  U.S.G.  §  2371. 

3.  Restrictions  on  the  Participation  of  Foreign  or  Multinational  Firms 

The  use  of  government  funds  may  entail  limitations  on  foreign  access  to 
technology  developed  through  the  I3P.  This  issue  may  arise  in  a  variety  of  forms  ranging 
from  export  controls  to  “prudential”  limitations  on  foreign  access  such  as  those 
commonly  used  by  DARPA.  Many  current  information  assurance  researchers  and 
graduate  students  are  not  United  States  citizens.  Limitations  on  foreign  access  to 
technology  may  limit  the  pool  of  talent  available  to  the  I3P  to  carry  out  its  research 
agenda. 

Access  by  foreign  firms  or  foreign  persons  to  technology  and  other  sensitive 
information  may  be  subject  to  legal  or  regulatory  controls.  A  particularly  difficult 
problem  in  this  area  is  the  identification  of  foreign  firms.  Many  U.S.  firms  have 
substantial  foreign  ownership  (Daimler  Chrysler,  as  just  one  example).  It  can  be  difficult 
to  arrive  at  a  definition  of  “foreign  company”  that  satisfies  the  needs  of  the  current  U.S. 
export  control  regime  (or  any  reasonable  successor  regime). 

4.  Information  Protection  and  the  Freedom  of  Information  Act 

Protection  of  proprietary  and  other  confidential  information  will  be  a  key 
consideration  in  attaining  the  necessary  degree  of  private  sector  participation  and 
confidence  in  the  13  P.  In  general,  it  appears  very  likely,  based  on  comments  made  in  the 
IDA  interviews,  that  private  entities  will  insist  on  restricting  the  I3P’s  ability  to  share 
private  firms’  information  with  the  government  for  fear  that  having  such  information  in 
government  hands  may  lead  to  unwanted  disclosure  (to  competitors,  for  example)  via  the 
Freedom  of  Information  Act  (FOIA). 

The  13  P,  like  any  other  private  sector  organization,  will  have  to  rely  on  the 
standard  and  customary  forms  of  protection  for  confidential  information:  non-disclosure 
agreements  and  other  forms  of  contracts  that  embody  restrictions  on  the  disclosure  by  one 
party  of  the  confidential  information  of  another.  Whether  other  firms  will  be  comfortable 
relying  on  these  protections  will  depend  largely  on  whether  they  perceive  the  I3P  itself  or 
its  employees  who  may  have  access  to  their  information  as  actual  or  potential 


11-17 


competitors.  Tire  rotation  of  research  personnel  suggested  as  part  of  the  I3P  structure  will 
have  to  be  vety  carefully  crafted  to  address  these  possible  concents. 

Act  FOultT  0fte”‘eXpreS:ied  concern  in  interviews  was  the  Freedom  of  Information 

obh.inedt"C  ^  0n'y  ,0  "Aments  <»  ‘rented  or 

«  ^  8  “  W  “d  (2)  mdCT  W  control  a,  the  time  titey  are 
F  “  ’  “  “  "  "S  ^  «  “agency”  within  tire  ^  of 

“agency^I-t!  ^  ^  “ay  be  determined  to  be 

agency  records  requires  some  scrutiny. 

The  Supreme  Court  has  held  th^^ 

agenly  172^77^  &  ^  *"*  “ <Wy  SUbjeCt  t0  F0IA  were  not 

agency.  wh  r  "  7  "  ^  ?*  at  time  been  obta-d  by  the  funding 

POT  a  ,  ,  ’  6  0Urt  eId’  the  data  did  not  become  “agency  records”  subject  to 

bee  TIy  USC  thC  SUpervised  **  ^ant  recipient  in  its  use  of  the  fiids  or 

research  results  we  agency  records  subject  to  FOIA,  even  Zugh  fteThlLev^e^ 

acted  TbeM™  * 7  &ndin8  *8“y-  ^  ^  “ntractor  or  grantee  had 

Hat,  7  a  ^  8  a8“Cy  and  tbe  W  hod  directed  the  creation  of  the 

pubhshT  ‘°i  P0SSeSSi°"  °f  11,6  ^  a‘  C°nclusi0“  of' *=  research,  Planned  to 

d“;;::i:,d  ^ fte  “n  in  *  -  “ — -  i 

paramel™! !h^T7  ‘°,  “  BP'S  ^  “d  ite  loesses  to  fit  within  the 
about  the  BP-  8  rUli"8S'  WhateVer  fearS  f,rms  or  individuals  may  have 

the  Bp"  se  f  stallT 7^  7  ““  inf0nT,ati°n’  FOIA  «• 

do  not  attempt .  31,10118  '  Pr°Vided  ‘ha<  federal  agencies  ^ding  the  I3P 

sharing  activities.'^  “  ^  °fC°nm  ^ itS  reSearch  ^formation 

carefi]  “°™a'i0n  Sharing  WUh  a  government  agency  by  the  I3P  must  be  done  within  a 

BP  must  SXTVr  “  7  WeU  be  'hat  'he  nondisclosure  agreements  ft*  fire 

is  to  be  an  effective  vehicle  for  research  and  information  sharing 


‘  ^v.  Hams,  445  US.  169,  100S.Ct977,63L.Ed.2d293(I980). 

ur  a  v.  U.S.  Dept,  of  Health  and  Human  Services,  87  F.3d  508  (D.C.  Cir.  1998) 

11-18 


will  specifically  restrict  or  prohibit  disclosure  to  the  government.  Data  shared  with  the 
government  may  have  to  be  cleansed  of  confidential  information — or  of  identifying 
information.  If  confidential  information  is  shared,  it  could  be  exempted  from  FOIA 
disclosure  if  it  is  proprietary  information  within  the  definitions  of  FOIA’s  exemptions  or 
fits  another  of  the  nine  FOIA  exemption  categories.  Many  firms  are  unwilling  to  rely  on 
FOIA  exemptions,  however.  Significant  additional  work  is  needed  to  establish  a  viable 
information  sharing  framework.  Some  kind  of  legislation  creating  an  explicit  FOIA 
exemption  for  critical  infrastructure  protection  information  under  appropriate 
circumstances  may  be  desirable-or  even  necessary. 

5.  Antitrust 

Antitrust  considerations  were  raised  by  a  number  of  those  interviewed,  but  they 
are  probably  of  little  real  concern.  But  again,  this  issue  must  be  addressed  in  establishing 
the  I3P’s  charter. 

In  the  strictest  sense,  anti-trust  liability  attaches  only  to  private  (that  is,  without 
government  involvement)  sharing  of  information  related  to  market  division  or  price 
fixing.  The  exchange  of  other  kinds  of  information  among  competitors  will  generally  not 
raise  the  specter  of  civil  or  criminal  anti-trust  action  either  by  the  government  or  by 
private  parties.  That  the  I3P  itself  is  not  a  participant  in  any  critical  infrastructure 
mitigates  against  anti-trust  liability  for  sharing  information  with  it.  However,  the  small 
risk  that  does  exist  might  arise  if  one  or  more  firms  is  denied  access  to  information  or 
believes  it  has  been  denied  such  access.  In  such  a  case,  an  excluded  firm  might  claim  that 
it  is  the  victim  of  a  boycott  or  that  it  has  been  denied  access  to  an  “essential  facility”  that 
is  necessary  to  conduct  business.  If  information  sharing  with  or  through  the  I3P  is 
mandated  by  government  action,  that  should  further  lessen  concerns  about  anti-trust 
enforcement  arising  from  information  sharing  activities. 

6.  Liability 

Liability  for  failure  to  disclose  or  inform  about  vulnerabilities  is  an  area  that  must 
be  addressed  in  the  establishment  and  operation  of  the  I3P.  Generally  there  can  be  no 
liability  where  there  is  no  duty,  but  the  proposed  structure  may  create  such  a  duty. 

Liability  may  also  stem  from  the  DP’s  activities  relating  to  product  and  services 
evaluation.  The  evaluation  of  products  and  services  for  information  infrastructure 
protection  by  a  private  entity  such  as  the  proposed  I3P  probably  raises  no  significant  legal 

11-19 


“7Vei’  “  4056  ^  iDStanCeS  iD  WhiCh  ^  ,3P  does  P-*«»  evaluations  or 
accred.,  evaluators  or  validate  their  tests  (which  should  occur  only  in  cases  of  need  where 

alternattve  is  reasonably  available),  there  may  be  liability  issues  related  to  reliance  on 

*e  I3P  s  evaluations,  accreditations  or  validations  by  others.  However,  in  part  because  of 

the  proposed  close  ties  between  the  OP  and  the  government,  a  number  of  potential  issues 

under  whiTh  er7iand  “7"  ’3P  "d  drai^"«  theprecesses 

under  wh.ch  „  will  conduct  itself  in  any  case  in  which  it  becomes  involved  in 

accreditation,  evaluations  or  validations.  These  should  include: 

The  availability  of  mechanisms  for  assuring  that  the  processes  for  deteiminino 
which  products  and  services  are  evaluated  be  without  bias.  ™g 

‘  rcSUltin8  *0m  ,est“8  “>d  ^nation.  It 

wTnotTe  MH  v  J  t  T”  agreemen,s'  fOT  example,  that  the  government 
will  not  be  held  liable  for  the  actions  of  the  I3P  or  its  subcontractors. 

“  liability  f0r  “product  defamation”  under  various 
state  laws  for  the  publication  of  negative  evaluation  results 

*  dTSoT  ‘°  “"**  »d  «*•  and  procedures  for  then 

Tins  broad  concept  of  operations  builds  on  the  PCAST's  proposal  for  a  new 
ora  ory  and  the  ideas  and  concerns  shared  with  the  IDA  review  team  by  experts  in 
as  cture  protection  and  information  assurance.  Based  on  our  discussion  with 
experts  from  mdustiy,  academia,  and  government,  we  believe  the  general  approach  laid 
out  here  provides  the  greatest  chance  of  succeeding  in  fulfilling  the  I3P's  mission. 


11-20 


Appendix  A 


The  PCAST  Letter  to  President  Clinton 


EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
PRESIDENT'S  COMMITTEE  OF  ADVISORS  ON  SCIENCE  AND  TECHNOLOGY 

WASHINGTON,  D.C.  20502 


December  10,  1998 


President  William  J.  Clinton 
The  White  House 
1 600  Pennsylvania  Avenue 
Washington,  D.C.  20500 

Dear  Mr.  President: 

You  have  made  the  protection  of  critical  infrastructure  a  high  priority,  especially  our 
interconnected  electronic  network  which  underpins  our  nation’s  monetary,  national  security,  air 
traffic  control,  telecommunications,  law  enforcement,  energy  distribution  and  other  such  critical 
systems.  Achieving  this  goal  will  require  gaining  a  systematic  understanding  of  information 
infrastructure  vulnerabilities  and  developing  and  deploying  new  technology,  equipment,  software 
and  procedures.  We  recommend  the  government  establish  and  contract  with  a  new  not-for-profit 
laboratory,  the  Laboratory  for  National  Information  Infrastructure  Protection  (LNIIP),  to  create 
and  disseminate  the  necessary  knowledge  to  protect  our  information  infrastructure.  This 
technical  organization  in  the  private  sector  but  with  certain  government  oversight  will 
complement  the  operational  capability  of  the  Department  of  Justice  National  Infrastructure 
Protection  Center,  created  by  PDD-63. 

The  new  LNIIP  should  be  governed  by  an  interdependent  board  of  directors  drawn  from  leaders 
of  the  telecommunications,  software  and  information  technology  industries  and  their  customers, 
as  well  as  from  academia.  The  purpose  of  the  Laboratory  would  be  to  conduct  research  and 
develop  technology  that  would  protect  our  critical  information  and  communications  systems 
from  penetration  and  damage  by  hostile  foreign  national  or  subnational  groups,  organized  crime, 
determined  hackers,  and  from  natural  instabilities,  internal  design  weaknesses  or  human  failings 
that  can  cause  major  disruption  of  highly  complex,  nonlinear  networks.  This  effort  would 
include  the  development  of  a  broad  understanding  of  the  robustness  and  resilience  of  such 
complex  systems  and  would  involve  creation  of  means  to  assure  graceful  degradation  under 
stress. 

Information  infrastructure  issues  affect  the  operations  of  virtually  all  elements  of  the  private 
sector  and  the  government.  At  present  there  is  no  technical  organization  dedicated  to  developing 
the  knowledge  and  common  technology  base  required  to  successfully  address  this  problem  and 
provide  the  basis  for  long  term  protection.  The  private  sector  does  not  have  the  incentive  to 
develop  the  public  knowledge  and  technology  base  required  for  the  development  of  competing 
interoperable  proprietary  systems— thus  federal  support  is  needed.  The  justification  for  acquiring 
the  needed  knowledge  and  technology  through  government  support  of  a  new  not-for-profit 
laboratory  is  that  while  most  of  the  critical  infrastructure  lies  outside  the  government,  only  the 
government  is  in  a  position  to  derive  and  make  broadly  available  the  information  needed  to 
assure  the  integrity  of  our  nation’s  information  network.  Because  of  the  complex  relationships. 


A-l 


2 


providers  and  users  is  cniical 

proposea  to  accomplish  this  coupling,  as  shown  in  the  attached  diagram. 

(1)  <*> 

intrusion  detection  and  warning  systems-  .2^'°"  “■?  authen,1?at'°»  stents;  (4) 

security  assurance-  (7)  best  nrartieec  fnr’  ^  a^ *  m  rec°very  ’  (6)  romporient  and  software 
with  complex  systems  The  Laboratory  eva,uat5®n;  (8)  training,  and  (9)  human  interface 

“clients”  for  the  LNIIP pi^ucS™^  “responding  govenunent  agencies  are  the 

product  md  must  have  a  role  in  shaping  the  LNIIP  work  program 

coordmating  committee,  although  a  rotating  chair  is  andtemativT 

^esldent'unde^e^mrol'o^OMB^d^hrfed1 3  **  0ffi«  *«» 

this  is  an  unusual  approach;  how^vt  we  “mmittee- . We  "^agnize  that 

that  government  security  and  law  enforcement  Qet  •  Justlfi®d  because  circumstances  dictate 

Without  a  specific  work  plan  it  is  difficult  to  set  a  budget  for  the  LNIIP  with  n^-  ■ 

that  about  $100  mill, on  per  year  would  not  be  unreasonable  after  a  start-up 


3 


period.  This  money  would  come  primarily  from  the  federal  government,  although  we  anticipate 
that  significant  funds  and  in-kind  support  would  also  come  from  industry. 

Several  independent  groups  have  proposed  the  creation  of  a  new  information  assurance  technical 
organization  such  as  we  are  recommending  here.  We  have  endorsed  this  step  because  we  believe 
it  is  the  quickest  and  most  efficient  way  to  develop  and  deploy  information  assurance 
technology.  In  particular,  we  believe  it  is  preferable  to  allocating  to  agencies,  through  the  critical 
infrastructure  protection  (CIP)  process,  all  available  funding  for  information  infrastructure 
protection.  There  is  a  need  for  a  centrally  focused  effort  in  the  private  sector  to  develop  the 
needed  technology  as  quickly  as  possible. 


If  you  approve,  OMB  and  OSTP  will  form  a  small  working  group  from  DOD,  DOJ,  and  DOC, 
with  inputs  from  others,  to  prepare  a  specific  proposal  for  your  consideration  for  inclusion  in  the 
FY2000  budget.  The  PCAST  Security  Panel  will  be  available  to  advise  this  working  group 
should  that  be  desired. 


Norman  R.  Augustine 
Chairman 
Security  Panel 


Attachments:  Proposed  LNIIP  Flowchart 


A-3 


CAST  SECURITY  PANEL  WORKING  PAPER 
Proposed  Management  Organization  for  the 
aboratory  for  National  Information  Infrastructure  Protection 

~ - Inf°**mation  Infrastructure  Council  II 

“ —  - Agencies)  Jj 


Feedback  federal  Coordinating  Committee" 
««  Federal"*  .  Deputy  Secretary  of  Defense 

Sponsor  .  Deputy Seereta^.f Cornice 
L*  Deputy  Attorney  General 


QMS  - 


Federal  $ 


Laboratory  for  National  Information 
Infrastructure  Protection  (LNIIP) 


Industry  Advisory 
Committee 

•  Telecom  m/IT 
Providers 

•  Industrial, 
Financial, 
Commercial 
Sectors 


Private  Sector  $ 


Federal  Users 

•  Defense  (DOD) 

•  Law  Enforcement  (DOJ) 

•  Finance  (Treasury) 

"  Energy  (DOE) 

’  Transportation  (DOT) 
Commerce  (DOC) 

Emerg  Services  (FEM A) 


Private  Sector  Users 

*  IT  Providers 
Telecommunications 
Banking 
Energy 

Transportation 

Manufacturing 


Appendix  B 


Interview  and  Workshop  Participants 


Appendix  B 

INTERVIEW  AND  WORKSHOP  PARTICIPANTS 


INTERVIEW  PARTICIPANTS 

Academia: 

Duane  Adams,  CMU 

Rod  Brooks,  MIT 

Bill  Dally,  Stanford 

Andrew  Gross,  UCSD 

Mark  Hill,  University  of  Wisconsin 

Robert  Hoover,  University  of  Idaho 

Anita  Jones,  UVA 

Sid  Karin,  UCSD 

Raman  Khanna,  Stanford 

Tom  Knight,  MIT 

Steve  Koonin,  Cal  Tech 

Alan  Merten,  GMU 

Robin  Murphy,  University  of  South  Florida 

Geoff  Orsak,  SMU 

Joe  Pasquale,  UCSD 

Tom  Perrine,  UCSD 

Howard  Shrobe,  MIT 

Gene  Spafford,  Purdue 

Gary  Susman,  MIT 

Charles  Vest,  MIT 

Government  (&  Laboratories): 

Jane  Alexander,  DARPA 

Dwayne  Allain,  Rome  Laboratory 

Marjorie  Blumenthal,  NAS 

Lee  Buchanan,  Navy 

MajGen  Campbell,  JTF  CND/Space  Cmd 

John  Davis,  NSA 

Joan  Demsey,  CIA 

Rick  Dunn,  DARPA 

Bob  Eagan,  Sandia 

Craig  Fields,  DOD 

Mike  Francis,  DISA 

Norman  Green,  CIA 

Larry  Gershwin,  CIA 

John  Hagerling,  Treasury 

Sally  Howe,  National  Coordination  Office 

Kay  Howell,  National  Coordination  Office 

Jeffrey  Hunker,  NSC 

Tom  Kalil,  Council  of  Economic  Advisors 

Donald  Kerr,  FBI 

RADM  Bert  Kinghom,  DOT 

Ernie  Moniz,  DOE 

Irv  Pikus,  Dept,  of  Commerce 

Bill  Press,  LANL 

Fred  Saafeld,  Office  of  Naval  Research 
Private  Sector  (&FFRDCs)  Cont’d: 


Sami  Saydjari,  DARPA 
Paula  Scalingi,  DOE 
Richard  Schaffer,  DOD 
John  Serbian,  CIA 
Randy  Shumaker,  Navy  Research 
Laboratory 
Sam  Vamado,  Sandia 
Michael  Vatis,  FBI 

Bill  Weldon,  Office  of  Naval  Research 
Curt  Weldon,  U.S.  Congress 
Jack  Woodward,  LtGen,  DOD 
Rick  Yanuzzi,  CIA 

Robert  Zomback,  Army  Communications- 
Electronics  Command 

Private  Sector  (&FFRDCs): 

Duane  Andrews,  SAIC 
Bill  Burnett,  Gas  Research  Institute 
Jennifer  Chayes,  Microsoft 
Guy  Copeland,  CSC 
Steve  Cross,  SEI 
William  Crowell,  Cylink 
Jack  Edwards,  Nortel 
Bran  Ferren,  Walt  Disney  Imagineering 
Matthew  Flannigan,  Telecommunications 
Industries  Association 
Jerry  Gregoire,  Dell  Computers  c 
Bob  Henderson,  MITRE/JASON 
Stu  Johnson,  RAND 
Steve  Katz,  Citicorp 
Phil  Lacombe,  Veridian 
John  Lane,  Nations  Bank 
Don  Latham,  Lockheed  Martin 
Mike  McConnell,  Booz-Allen 
Gary  McGraw,  Reliable  Software 
Technologies 

Scott  Nason,  American  Airlines 
Rich  Pethia,  SEI 
Kevin  Roth,  ITAA 
Doug  Sabo,  ITAA 
Howard  Schmidt,  Microsoft 
George  Spix,  Microsoft 
Stu  Starr,  MITRE 
Francis  Sullivan,  IDA 
Lowell  Thomas,  GTE 
Fred  Thompkins,  Unisys 
Paul  Tobin,  AFCEA 

John  Triechler,  Applied  Signal  Technology 


B-l 


Terry  Vickers-Benzel,  Network  Associates 
Ken  Watson,  Cisco 
Peter  Weinberger,  Renaissance 
Larry  Wright,  Booz-AIlen 

Policy  Community: 

Norm  Augustine,  Lockheed  Martin  Corp. 
Murray  Gell-Mann,  Santa  Fe  Institute 
George  Heilmeier,  Telcordia  Technologies 
Robert  Hermann,  Global  Technology 
Partners 

Bobby  Inman,  formerly  NSA  and  CIA 

WORKSHOP  PARTICIPANTS 

June  Workshop  Participants: 

Dwayne  Allain,  Rome  Laboratory 
Marjory  Blumenthal,  NAS 
Blaine  Burnham,  GA  Tech 
Guy  Copeland,  CSC 
John  Davis,  NSA 
Richard  L.  Dunn,  DARPA 
Jay  Gowens,  ARL 
Charles  Holland,  OSD 
Robert  Hoover,  University  of  Idaho 
Kay  Howell,  NCO 
Stuart  Johnson,  RAND 
Kathy  Kincaid,  IBM  (ret.) 

Steve  King,  NRL 
Col.  Mark  Kindi,  ARL 
Phil  Lacombe,  Veridan 
Steven  Lipner,  Mitretek 
Christine  McBride,  DIAP 
Mark  Montgomeiy,  Nat’l  Security  Council 
Robin  Murphy,  University  of  South  Florida 
Rich  Pethia,  Software  Engineering  Institute, 
Carnegie  Mellon  University 
Steve  Rinaldi,  OSTP 
Fred  Schneider,  Cornell  University 
Randall  Shumaker,  NRL 
Stuart  Starr,  MITRE 
David  Svec,  OSTP 
Lowell  Thomas,  GTE  &  NSTAC 
Fred  Tompkins,  Unisys 
■■  Terry  Vickers-Benzel,  NAI  Labs 

September  Workshop  Participants: 

Dwayne  Allain,  Rome  Laboratory 

Frank  Anger,  National  Science  Foundation 

Allan  Berg,  James  Madison  University 

Guy  Copeland,  CSC 

John  Davis,  NSA 

Bob  Eagan,  Sandia 

Mike  Francis,  DISA 


Paul  Kaminski,  formerly  DOD 
Tom  Marsh,  Air  Force  Aid  Society 
Ken  Minihan,  formerly  with  NSA 
Robert  Prestel,  IDA  Board 
Don  Rumsfeld,  formerly  DOD 
Jim  Schlessinger,  MITRE  Board 
Jeffrey  Smith,  Arnold  &  Porter 
John  White,  Harvard 

Robert  White,  Washington  Advisory  Group 
James  Woolsey,  Shea  &  Gardner 
John  Young,  Hewlett-Packard 


Carolyn  Fuller,  University  of  Idaho 
Anup  Ghosh,  Reliable  Software 
Technologies 

Paul  Grabow,  Federal  Reserve  Board 

Bruce  Guile,  Washington  Advisory  Group 

Don  Hagerling,  Department  of  Treasury 

Mark  Hill,  University  of  Wisconsin 

Charlie  Holland,  OSD 

Stu  Johnson,  RAND 

Steve  Kaplan,  NIPC 

Bert  Kinghom,  DOT 

Carl  Landwehr,  MITRETEK 

Peggy  Lipps,  BITS 

Bruce  McDonald,  OSTP 

Jack  Marsh,  College  of  William  and  Mary 

Pam  Martin,  Int’l  Computer  Security 

Association 

Christina  McBride,  DIAP 
Gail  McCarthy,  EPRI 
John  McLean,  NRL 
William  Mehuron,  NIST 
Robin  Murphy,  University  of  South  Florida 
Bob  Nemetz,  OSD 
Tom  Perrine,  UCSD 
Doug  Perritt,  NIPC 
Rich  Pethia,  SEI 
Steve  Rinaldi,  OSTP 
Ron  Ross,  NIST 
Keven  Roth,  DOE 
Doug  Sabo,  ITAA 
Phyllis  Schneck,  Georgia  Tech 
Randy  Shumaker,  NRL 
Gene  SpafFord,  Purdue 
Craig  Swietlik,  Argonne 
Peter  Tippitts,  Int’l  Computer  Security 
Association 
Paul  Tobin,  AFCEA 

Terry  Vickers-Benzel,  Network  Associates 
Ken  Watson,  Cisco 


B-2 


